From e402f36d43087428721ed7258c5e34fac679bef1 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 25 Jan 2022 12:35:50 +1030 Subject: [PATCH 1/4] packages/windows/sysmon_operational: normalise field order and remove event.ingested --- .../pipeline/test-events.json-expected.json | 18718 ++++++++-------- .../elasticsearch/ingest_pipeline/default.yml | 3 - 2 files changed, 9259 insertions(+), 9462 deletions(-) diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index b5307b7d661..b86786e1942 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -1,46 +1,8 @@ { "expected": [ { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" - }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "66", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, + "@timestamp": "2019-07-18T03:34:01.239Z", "dns": { - "question": { - "name": "go.microsoft.com", - "subdomain": "go", - "registered_domain": "microsoft.com", - "top_level_domain": "com" - }, "answers": [ { "data": "go.microsoft.com.edgekey.net", @@ -55,16 +17,45 @@ "type": "A" } ], + "question": { + "name": "go.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "go", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.239Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -76,67 +67,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201986672Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "67", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "66", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.msn.com", - "subdomain": "www", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.261Z", + "dns": { "answers": [ { "data": "www-msn-com.a-0003.a-msedge.net", @@ -151,16 +112,45 @@ "type": "A" } ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.261Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -172,147 +162,116 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201993054Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "go.exe", - "pid": 2184, - "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", - "pe": { - "imphash": "d90d8c7812aec8da0fa173afa1293ab2" - }, - "hash": { - "md5": "199e1cf5b2250bd515ecccf4ca686301" - }, - "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "612", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 664, + "pid": 2828, "thread": { - "id": 2360 + "id": 1684 } }, - "event_id": "23", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "67", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": true - } - }, + }, + "version": 5 + } + }, + { "@timestamp": "2020-05-07T08:14:44.489Z", - "file": { - "name": "test.test.exe", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe", - "extension": "exe", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ], - "hash": [ - "199e1cf5b2250bd515ecccf4ca686301", - "d90d8c7812aec8da0fa173afa1293ab2" - ] - }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.201993802Z", - "code": "23", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-07T08:14:44.489Z", "category": [ "file" ], + "code": "23", + "created": "2020-05-07T08:14:44.489Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "deletion" ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001", + "extension": "exe", + "name": "test.test.exe", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "68", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", + "hash": { + "md5": "199e1cf5b2250bd515ecccf4ca686301" }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } + "name": "go.exe", + "pe": { + "imphash": "d90d8c7812aec8da0fa173afa1293ab2" + }, + "pid": 2184 + }, + "related": { + "hash": [ + "199e1cf5b2250bd515ecccf4ca686301", + "d90d8c7812aec8da0fa173afa1293ab2" + ], + "user": [ + "vagrant" + ] }, "sysmon": { - "dns": { - "status": "SUCCESS" + "file": { + "archived": true, + "is_executable": true } }, - "log": { - "level": "information" + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", + "name": "vagrant" }, - "dns": { - "question": { - "name": "static-global-s-msn-com.akamaized.net", - "subdomain": "static-global-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 2360 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "612", + "user": { + "identifier": "S-1-5-18" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.449Z", + "dns": { "answers": [ { "data": "a1999.dscg2.akamai.net", @@ -327,17 +286,46 @@ "type": "A" } ], + "question": { + "name": "static-global-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-global-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.449Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -348,67 +336,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201994275Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "69", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "68", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.bing.com", - "subdomain": "www", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.457Z", + "dns": { "answers": [ { "data": "a-0001.a-afdentry.net.trafficmanager.net", @@ -427,17 +385,46 @@ "type": "A" } ], + "question": { + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.457Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -449,210 +436,178 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201994741Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", - "data": { - "strings": [ - "0x00000004" - ], - "type": "SZ_DWORD" - }, - "value": "Key 1", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" - }, - "process": { - "name": "regedit.exe", - "pid": 6072, - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", - "executable": "C:\\Windows\\regedit.exe" }, - "@timestamp": "2020-05-05T14:57:40.589Z", "winlog": { - "computer_name": "vagrant", - "record_id": "2682", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 2828, "thread": { - "id": 876 + "id": 1684 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "69", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-05T14:57:40.589Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.201995149Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:40.599Z", "category": [ "configuration", "registry" ], - "type": [ - "change" - ] - }, - "user": { - "id": "S-1-5-18" - } - }, - { + "code": "13", + "created": "2020-05-05T14:57:40.599Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, "process": { - "name": "svchost.exe", - "pid": 776, - "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", - "hash": { - "sha1": "115106f5b338c87ae6836d50dd890de3da296367" + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "0x00000004" + ], + "type": "SZ_DWORD" }, - "executable": "C:\\Windows\\System32\\svchost.exe" + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "value": "Key 1" + }, + "user": { + "id": "S-1-5-18" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "11", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { - "pid": 664, + "pid": 5496, "thread": { - "id": 2360 + "id": 876 } }, - "event_id": "23", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2682", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": false - } - }, + }, + "version": 2 + } + }, + { "@timestamp": "2020-05-07T07:27:18.722Z", - "file": { - "name": "lastalive0.dat", - "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat", - "extension": "dat", - "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "LOCAL SERVICE" + "event": { + "category": [ + "file" ], - "hash": [ - "115106f5b338c87ae6836d50dd890de3da296367" + "code": "23", + "created": "2020-05-07T07:27:18.722Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" ] }, + "file": { + "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local", + "extension": "dat", + "name": "lastalive0.dat", + "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:21:33.201995521Z", - "code": "23", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-07T07:27:18.722Z", - "category": [ - "file" + "process": { + "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha1": "115106f5b338c87ae6836d50dd890de3da296367" + }, + "name": "svchost.exe", + "pid": 776 + }, + "related": { + "hash": [ + "115106f5b338c87ae6836d50dd890de3da296367" ], - "type": [ - "deletion" + "user": [ + "LOCAL SERVICE" ] }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, "user": { - "name": "LOCAL SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "LOCAL SERVICE" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "70", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 664, "thread": { - "id": 1684 + "id": 2360 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "11", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "linkmaker.itunes.apple.com", - "subdomain": "linkmaker.itunes", - "registered_domain": "apple.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.494Z", + "dns": { "answers": [ { "data": "linkmaker.itunes.apple.com.edgekey.net", @@ -667,16 +622,45 @@ "type": "A" } ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.494Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -688,66 +672,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201996010Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "71", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "70", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "confiant-integrations.global.ssl.fastly.net", - "top_level_domain": "global.ssl.fastly.net", - "registered_domain": "confiant-integrations.global.ssl.fastly.net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.810Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -766,6 +721,11 @@ "type": "A" } ], + "question": { + "name": "confiant-integrations.global.ssl.fastly.net", + "registered_domain": "confiant-integrations.global.ssl.fastly.net", + "top_level_domain": "global.ssl.fastly.net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -773,82 +733,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:01.810Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "confiant-integrations.global.ssl.fastly.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.201996513Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "confiant-integrations.global.ssl.fastly.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "72", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "71", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c.msn.com", - "subdomain": "c", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.894Z", + "dns": { "answers": [ { "data": "c.msn.com.nsatc.net", @@ -859,16 +812,45 @@ "type": "A" } ], + "question": { + "name": "c.msn.com", + "registered_domain": "msn.com", + "subdomain": "c", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.894Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -879,67 +861,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201997048Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "73", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "72", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c.bing.com", - "subdomain": "c", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.948Z", + "dns": { "answers": [ { "data": "c-bing-com.a-0001.a-msedge.net", @@ -958,17 +910,46 @@ "type": "A" } ], + "question": { + "name": "c.bing.com", + "registered_domain": "bing.com", + "subdomain": "c", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.948Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -980,153 +961,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201997530Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "74", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "73", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "contextual.media.net", - "subdomain": "contextual", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.085Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "contextual.media.net", + "registered_domain": "media.net", + "subdomain": "contextual", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.085Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "contextual.media.net" + "event": { + "category": [ + "network" ], - "ip": [ - "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.201998121Z", "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "contextual.media.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "75", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "74", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "at.atwola.com", - "subdomain": "at", - "registered_domain": "atwola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.174Z", + "dns": { "answers": [ { "data": "glb-ads.atwola.adtechus.com", @@ -1149,16 +1099,45 @@ "type": "A" } ], + "question": { + "name": "at.atwola.com", + "registered_domain": "atwola.com", + "subdomain": "at", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.174Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1172,67 +1151,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201998658Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "76", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "75", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "m.adnxs.com", - "subdomain": "m", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.274Z", + "dns": { "answers": [ { "data": "microsoft.geo.appnexusgslb.net", @@ -1279,6 +1228,12 @@ "type": "A" } ], + "question": { + "name": "m.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "m", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -1291,12 +1246,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.274Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1315,67 +1293,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.201999143Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "77", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "76", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cms.analytics.yahoo.com", - "subdomain": "cms.analytics", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.291Z", + "dns": { "answers": [ { "data": "spcms-global.pbp.gysm.yahoodns.net", @@ -1386,87 +1334,86 @@ "type": "A" } ], + "question": { + "name": "cms.analytics.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "cms.analytics", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.291Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "spcms-global.pbp.gysm.yahoodns.net", - "cms.analytics.yahoo.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.201999511Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "spcms-global.pbp.gysm.yahoodns.net", + "cms.analytics.yahoo.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "78", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "77", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cvision.media.net", - "subdomain": "cvision", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.413Z", + "dns": { "answers": [ { "data": "cvision.media.net.edgekey.net", @@ -1481,16 +1428,45 @@ "type": "A" } ], + "question": { + "name": "cvision.media.net", + "registered_domain": "media.net", + "subdomain": "cvision", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.413Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1502,67 +1478,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202000027Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "79", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "78", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "g.bing.com", - "subdomain": "g", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.424Z", + "dns": { "answers": [ { "data": "g-bing-com.a-0001.a-msedge.net", @@ -1581,17 +1527,46 @@ "type": "A" } ], + "question": { + "name": "g.bing.com", + "registered_domain": "bing.com", + "subdomain": "g", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.424Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1603,153 +1578,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202000589Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "80", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "79", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "lg3.media.net", - "subdomain": "lg3", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.427Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "lg3.media.net", + "registered_domain": "media.net", + "subdomain": "lg3", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.427Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "lg3.media.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202001087Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "lg3.media.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "81", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "80", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "service.sp.advertising.com", - "subdomain": "service.sp", - "registered_domain": "advertising.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.469Z", + "dns": { "answers": [ { "data": "service.sp.aolp-ds-prd.aws.oath.cloud", @@ -1768,18 +1712,47 @@ "type": "A" } ], + "question": { + "name": "service.sp.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "service.sp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.469Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1790,128 +1763,97 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202001587Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "value": "HRZR_PGYFRFFVBA", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" - }, - "process": { - "name": "Explorer.EXE", - "pid": 4320, - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE" }, - "@timestamp": "2020-05-05T14:57:44.714Z", "winlog": { - "computer_name": "vagrant", - "record_id": "2686", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 2828, "thread": { - "id": 876 + "id": 1684 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "81", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202002055Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:44.723Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:44.723Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "82", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 5496, "thread": { - "id": 1684 + "id": 876 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2686", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sb.scorecardresearch.com", - "subdomain": "sb", - "registered_domain": "scorecardresearch.com", - "top_level_domain": "com" }, + "version": 2 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.485Z", + "dns": { "answers": [ { "data": "sb.scorecardresearch.com.edgekey.net", @@ -1926,88 +1868,87 @@ "type": "A" } ], + "question": { + "name": "sb.scorecardresearch.com", + "registered_domain": "scorecardresearch.com", + "subdomain": "sb", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.485Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "sb.scorecardresearch.com.edgekey.net", - "e1879.e7.akamaiedge.net", - "sb.scorecardresearch.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202002675Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], - "type": [ - "connection", + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sb.scorecardresearch.com.edgekey.net", + "e1879.e7.akamaiedge.net", + "sb.scorecardresearch.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "83", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "82", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "otf.msn.com", - "subdomain": "otf", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.500Z", + "dns": { "answers": [ { "data": "iceotf-prod-fe-tm.trafficmanager.net", @@ -2022,16 +1963,45 @@ "type": "A" } ], + "question": { + "name": "otf.msn.com", + "registered_domain": "msn.com", + "subdomain": "otf", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.500Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2043,195 +2013,163 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202003104Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", - "data": { - "strings": [ - "5" - ], - "type": "SZ_QWORD" - }, - "value": "Key 2", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" - }, - "process": { - "name": "regedit.exe", - "pid": 6072, - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", - "executable": "C:\\Windows\\regedit.exe" }, - "@timestamp": "2020-05-05T14:57:44.714Z", "winlog": { - "computer_name": "vagrant", - "record_id": "2687", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 2828, "thread": { - "id": 876 + "id": 1684 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "83", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202003524Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:44.726Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:44.726Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, "registry": { + "data": { + "strings": [ + "5" + ], + "type": "SZ_QWORD" + }, "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", - "value": "ertrqvg.rkr", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "value": "Key 2" }, - "process": { - "name": "Explorer.EXE", - "pid": 4320, - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE" + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2020-05-05T14:57:46.808Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", - "record_id": "2690", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { "id": 876 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "2687", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202004052Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:46.818Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:46.818Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "value": "ertrqvg.rkr" + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "84", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2690", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ping.chartbeat.net", - "subdomain": "ping", - "registered_domain": "chartbeat.net", - "top_level_domain": "net" }, + "version": 2 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.580Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -2266,6 +2204,12 @@ "type": "A" } ], + "question": { + "name": "ping.chartbeat.net", + "registered_domain": "chartbeat.net", + "subdomain": "ping", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2277,81 +2221,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.580Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ping.chartbeat.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202004931Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ping.chartbeat.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "85", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "84", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "clarium.freetls.fastly.net", - "top_level_domain": "freetls.fastly.net", - "registered_domain": "clarium.freetls.fastly.net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.628Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -2370,6 +2308,11 @@ "type": "A" } ], + "question": { + "name": "clarium.freetls.fastly.net", + "registered_domain": "clarium.freetls.fastly.net", + "top_level_domain": "freetls.fastly.net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2377,82 +2320,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.628Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "clarium.freetls.fastly.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202005405Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "clarium.freetls.fastly.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "86", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "85", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "nym1-ib.adnxs.com", - "subdomain": "nym1-ib", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.633Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -2507,6 +2443,12 @@ "type": "A" } ], + "question": { + "name": "nym1-ib.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "nym1-ib", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2523,12 +2465,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.633Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2543,67 +2508,37 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202005900Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "87", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "86", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "eb2.3lift.com", - "subdomain": "eb2", - "registered_domain": "3lift.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.716Z", + "dns": { "answers": [ { "data": "us-east-eb2.3lift.com", @@ -2650,6 +2585,12 @@ "type": "A" } ], + "question": { + "name": "eb2.3lift.com", + "registered_domain": "3lift.com", + "subdomain": "eb2", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2662,12 +2603,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.716Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2680,74 +2644,44 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202006380Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "88", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "87", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.727Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "px.ads.linkedin.com", - "subdomain": "px.ads", - "registered_domain": "linkedin.com", - "top_level_domain": "com" - }, "answers": [ { "data": "mix.linkedin.com", @@ -2798,6 +2732,12 @@ "type": "A" } ], + "question": { + "name": "px.ads.linkedin.com", + "registered_domain": "linkedin.com", + "subdomain": "px.ads", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -2811,12 +2751,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.727Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2837,67 +2800,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202006970Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "89", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "88", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "login.live.com", - "subdomain": "login", - "registered_domain": "live.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.733Z", + "dns": { "answers": [ { "data": "login.msa.msidentity.com", @@ -2920,18 +2853,47 @@ "type": "A" } ], + "question": { + "name": "login.live.com", + "registered_domain": "live.com", + "subdomain": "login", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.733Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2943,74 +2905,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202007504Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "90", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "89", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.792Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "dis.criteo.com", - "subdomain": "dis", - "registered_domain": "criteo.com", - "top_level_domain": "com" - }, "answers": [ { "data": "89.160.20.156", @@ -3061,6 +2993,12 @@ "type": "A" } ], + "question": { + "name": "dis.criteo.com", + "registered_domain": "criteo.com", + "subdomain": "dis", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -3076,12 +3014,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.792Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3102,67 +3063,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202008041Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "91", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "90", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ib.adnxs.com", - "subdomain": "ib", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.792Z", + "dns": { "answers": [ { "data": "g.geogslb.com", @@ -3217,6 +3148,12 @@ "type": "A" } ], + "question": { + "name": "ib.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "ib", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -3231,12 +3168,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.792Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3251,67 +3211,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202008550Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "92", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "91", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.g.doubleclick.net", - "subdomain": "cm.g", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.809Z", + "dns": { "answers": [ { "data": "pagead.l.doubleclick.net", @@ -3322,87 +3252,86 @@ "type": "A" } ], + "question": { + "name": "cm.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "cm.g", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.809Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "pagead.l.doubleclick.net", - "cm.g.doubleclick.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202009071Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], - "type": [ + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead.l.doubleclick.net", + "cm.g.doubleclick.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "93", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "92", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.adsrvr.org", - "subdomain": "match", - "registered_domain": "adsrvr.org", - "top_level_domain": "org" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.821Z", + "dns": { "answers": [ { "data": "match-975362022.us-east-1.elb.amazonaws.com", @@ -3449,6 +3378,12 @@ "type": "A" } ], + "question": { + "name": "match.adsrvr.org", + "registered_domain": "adsrvr.org", + "subdomain": "match", + "top_level_domain": "org" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -3462,12 +3397,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.821Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3481,67 +3439,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202009564Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "94", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "93", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ssum-sec.casalemedia.com", - "subdomain": "ssum-sec", - "registered_domain": "casalemedia.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.821Z", + "dns": { "answers": [ { "data": "ssum-sec.casalemedia.com.edgekey.net", @@ -3556,16 +3484,45 @@ "type": "A" } ], + "question": { + "name": "ssum-sec.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "ssum-sec", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.821Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3577,67 +3534,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202010212Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "95", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "94", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "protected-by.clarium.io", - "subdomain": "protected-by", - "registered_domain": "clarium.io", - "top_level_domain": "io" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.828Z", + "dns": { "answers": [ { "data": "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", @@ -3684,6 +3611,12 @@ "type": "AAAA" } ], + "question": { + "name": "protected-by.clarium.io", + "registered_domain": "clarium.io", + "subdomain": "protected-by", + "top_level_domain": "io" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -3697,85 +3630,78 @@ "2001:503:a83e::2:30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.828Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", - "protected-by.clarium.io" + "event": { + "category": [ + "network" ], - "ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202010733Z", "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", + "protected-by.clarium.io" + ], + "ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "96", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "95", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pagead2.googlesyndication.com", - "subdomain": "pagead2", - "registered_domain": "googlesyndication.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.838Z", + "dns": { "answers": [ { "data": "pagead46.l.doubleclick.net", @@ -3786,16 +3712,45 @@ "type": "A" } ], + "question": { + "name": "pagead2.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "pagead2", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.838Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3806,67 +3761,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202011286Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "97", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "96", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "googleads.g.doubleclick.net", - "subdomain": "googleads.g", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.839Z", + "dns": { "answers": [ { "data": "pagead46.l.doubleclick.net", @@ -3877,16 +3802,45 @@ "type": "A" } ], + "question": { + "name": "googleads.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads.g", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.839Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3897,67 +3851,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202011740Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "98", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "97", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.advertising.com", - "subdomain": "pixel", - "registered_domain": "advertising.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.841Z", + "dns": { "answers": [ { "data": "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", @@ -4000,6 +3924,12 @@ "type": "A" } ], + "question": { + "name": "pixel.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4011,84 +3941,77 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.841Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", - "prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud", - "pixel.advertising.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202012186Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", + "prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud", + "pixel.advertising.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "99", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "98", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "onevideosync.uplynk.com", - "subdomain": "onevideosync", - "registered_domain": "uplynk.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.844Z", + "dns": { "answers": [ { "data": "uplynk.adaptv.advertising.com", @@ -4123,6 +4046,12 @@ "type": "A" } ], + "question": { + "name": "onevideosync.uplynk.com", + "registered_domain": "uplynk.com", + "subdomain": "onevideosync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4131,12 +4060,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.844Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4152,115 +4104,84 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202012623Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "@timestamp": "2019-03-18T16:57:37.933Z", + }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "1", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4616, + "pid": 2828, "thread": { - "id": 4724 + "id": 1684 } }, - "event_id": "16", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "99", "user": { - "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:37.933Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202013012Z", - "code": "16", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:37.933Z", "category": [ "configuration" ], + "code": "16", + "created": "2019-03-18T16:57:37.933Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, "user": { "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "100", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" + }, + "event_id": "16", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4616, "thread": { - "id": 1684 + "id": 4724 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "1", "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ad.turn.com", - "subdomain": "ad", - "registered_domain": "turn.com", - "top_level_domain": "com" + "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.956Z", + "dns": { "answers": [ { "data": "ad.turn.com.akadns.net", @@ -4271,87 +4192,86 @@ "type": "A" } ], + "question": { + "name": "ad.turn.com", + "registered_domain": "turn.com", + "subdomain": "ad", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.956Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ad.turn.com.akadns.net", - "ad.turn.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202013470Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ad.turn.com.akadns.net", + "ad.turn.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "101", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "100", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ups.analytics.yahoo.com", - "subdomain": "ups.analytics", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.005Z", + "dns": { "answers": [ { "data": "prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud", @@ -4390,6 +4310,12 @@ "type": "A" } ], + "question": { + "name": "ups.analytics.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "ups.analytics", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4401,12 +4327,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.611Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.005Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4417,67 +4366,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202014113Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.611Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "102", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "101", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pm.w55c.net", - "subdomain": "pm", - "registered_domain": "w55c.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.070Z", + "dns": { "answers": [ { "data": "dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com", @@ -4528,6 +4447,12 @@ "type": "A" } ], + "question": { + "name": "pm.w55c.net", + "registered_domain": "w55c.net", + "subdomain": "pm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4542,12 +4467,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.070Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4561,67 +4509,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202014615Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "103", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "102", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.eyereturn.com", - "subdomain": "cm", - "registered_domain": "eyereturn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.093Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -4672,6 +4590,12 @@ "type": "A" } ], + "question": { + "name": "cm.eyereturn.com", + "registered_domain": "eyereturn.com", + "subdomain": "cm", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -4687,93 +4611,86 @@ "192.168.51.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.093Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "cm.eyereturn.com" - ], - "ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30", - "192.168.94.30", - "2001:502:1ca1::30", - "192.168.51.30" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202015236Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cm.eyereturn.com" + ], + "ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", + "192.168.14.30", + "2001:503:231d::2:30", + "192.168.92.30", + "2001:503:83eb::30", + "192.168.80.30", + "2001:500:856e::30", + "192.168.94.30", + "2001:502:1ca1::30", + "192.168.51.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "104", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "103", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.googletagservices.com", - "subdomain": "www", - "registered_domain": "googletagservices.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.099Z", + "dns": { "answers": [ { "data": "pagead46.l.doubleclick.net", @@ -4784,16 +4701,45 @@ "type": "A" } ], + "question": { + "name": "www.googletagservices.com", + "registered_domain": "googletagservices.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.099Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4804,67 +4750,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202015776Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "105", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "104", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.adgrx.com", - "subdomain": "cm", - "registered_domain": "adgrx.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.107Z", + "dns": { "answers": [ { "data": "rtb.adgrx.com", @@ -4915,6 +4831,12 @@ "type": "AAAA" } ], + "question": { + "name": "cm.adgrx.com", + "registered_domain": "adgrx.com", + "subdomain": "cm", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -4929,12 +4851,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.107Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4955,67 +4900,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202016261Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "106", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "105", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "csm2waycm-atl.netmng.com", - "subdomain": "csm2waycm-atl", - "registered_domain": "netmng.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.107Z", + "dns": { "answers": [ { "data": "j2waycm.netmng.com", @@ -5062,11 +4977,17 @@ "type": "AAAA" } ], - "resolved_ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", + "question": { + "name": "csm2waycm-atl.netmng.com", + "registered_domain": "netmng.com", + "subdomain": "csm2waycm-atl", + "top_level_domain": "com" + }, + "resolved_ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", + "192.168.14.30", "2001:503:231d::2:30", "192.168.92.30", "2001:503:83eb::30", @@ -5074,12 +4995,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.107Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5099,117 +5043,86 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202016708Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "@timestamp": "2019-03-18T16:57:38.011Z", + }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "2", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4516 + "id": 1684 } }, - "event_id": "4", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "SchemaVersion": "4.20", - "Version": "9.01", - "State": "Started" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "106", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.011Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202017116Z", - "code": "4", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.011Z", "category": [ "process" ], + "code": "4", + "created": "2019-03-18T16:57:38.011Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "107", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SchemaVersion": "4.20", + "State": "Started", + "Version": "9.01" + }, + "event_id": "4", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pr-bh.ybp.yahoo.com", - "subdomain": "pr-bh.ybp", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.112Z", + "dns": { "answers": [ { "data": "ds-pr-bh.ybp.gysm.yahoodns.net", @@ -5220,16 +5133,45 @@ "type": "A" } ], + "question": { + "name": "pr-bh.ybp.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "pr-bh.ybp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.112Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5240,257 +5182,225 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202017594Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "108", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "107", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ps.eyeota.net", - "subdomain": "ps", - "registered_domain": "eyeota.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.113Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "ps.eyeota.net", + "registered_domain": "eyeota.net", + "subdomain": "ps", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.113Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ps.eyeota.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202018287Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], - "type": [ - "connection", + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ps.eyeota.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "108", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-03-18T16:57:37.949Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2019-03-18T16:57:38.011Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\Sysmon.exe" ], + "args_count": 1, + "command_line": "C:\\Windows\\Sysmon.exe", + "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "executable": "C:\\Windows\\Sysmon.exe", + "hash": { + "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + }, + "name": "Sysmon.exe", "parent": { "args": [ "C:\\Windows\\system32\\services.exe" ], - "name": "services.exe", - "pid": 488, "args_count": 1, + "command_line": "C:\\Windows\\system32\\services.exe", "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", "executable": "C:\\Windows\\System32\\services.exe", - "command_line": "C:\\Windows\\system32\\services.exe" + "name": "services.exe", + "pid": 488 }, "pe": { - "file_version": "9.01", + "company": "Sysinternals - www.sysinternals.com", "description": "System activity monitor", - "product": "Sysinternals Sysmon", - "company": "Sysinternals - www.sysinternals.com" + "file_version": "9.01", + "product": "Sysinternals Sysmon" }, - "name": "Sysmon.exe", "pid": 4860, - "working_directory": "C:\\Windows\\system32\\", - "args_count": 1, - "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", - "hash": { - "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - }, - "executable": "C:\\Windows\\Sysmon.exe", - "command_line": "C:\\Windows\\Sysmon.exe" + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-18T16:57:37.949Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "3", - "process": { - "pid": 4860, - "thread": { - "id": 4516 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", "event_data": { "Company": "Sysinternals - www.sysinternals.com", "Description": "System activity monitor", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", - "IntegrityLevel": "System", - "TerminalSessionId": "0", "FileVersion": "9.01", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", "Product": "Sysinternals Sysmon", - "LogonId": "0x3e7" + "TerminalSessionId": "0" }, + "event_id": "1", "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "3", "user": { "identifier": "S-1-5-18" - } - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "SYSTEM" - ], - "hash": [ - "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - ] - }, - "log": { - "level": "information" - }, - "event": { - "ingested": "2022-01-12T05:21:33.202018863Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.011Z", - "category": [ - "process" - ], - "type": [ - "start" - ] - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-07-18T03:34:03.146Z", "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", "type": "filebeat", "version": "8.0.0" }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" - }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "109", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, "dns": { - "question": { - "name": "idpix.media6degrees.com", - "subdomain": "idpix", - "registered_domain": "media6degrees.com", - "top_level_domain": "com" - }, "answers": [ { "data": "idpix.media6degrees.com.cdn.cloudflare.net", @@ -5513,17 +5423,46 @@ "type": "A" } ], + "question": { + "name": "idpix.media6degrees.com", + "registered_domain": "media6degrees.com", + "subdomain": "idpix", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.146Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5536,67 +5475,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202019741Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "110", - "process": { + "event_id": "22", + "opcode": "Info", + "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "109", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tpc.googlesyndication.com", - "subdomain": "tpc", - "registered_domain": "googlesyndication.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.146Z", + "dns": { "answers": [ { "data": "pagead-googlehosted.l.google.com", @@ -5639,6 +5548,12 @@ "type": "AAAA" } ], + "question": { + "name": "tpc.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "tpc", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -5651,12 +5566,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.146Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5675,170 +5613,139 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202020596Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "110", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-03-18T16:57:37.964Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2019-03-18T16:57:38.011Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\system32\\wbem\\unsecapp.exe", "-Embedding" ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", + "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", + "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", + "hash": { + "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" + }, + "name": "unsecapp.exe", "parent": { "args": [ "C:\\Windows\\system32\\svchost.exe", "-k", "DcomLaunch" ], - "name": "svchost.exe", - "pid": 560, "args_count": 3, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", "executable": "C:\\Windows\\System32\\svchost.exe", - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" + "name": "svchost.exe", + "pid": 560 }, "pe": { - "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "company": "Microsoft Corporation", "description": "Sink to receive asynchronous callbacks for WMI client application", - "product": "Microsoft« Windows« Operating System", - "company": "Microsoft Corporation" + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft« Windows« Operating System" }, - "name": "unsecapp.exe", "pid": 5028, - "working_directory": "C:\\Windows\\system32\\", - "args_count": 2, - "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", - "hash": { - "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" - }, - "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", - "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding" - }, - "@timestamp": "2019-03-18T16:57:37.964Z", - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "4", - "process": { - "pid": 4860, - "thread": { - "id": 4516 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "Company": "Microsoft Corporation", - "Description": "Sink to receive asynchronous callbacks for WMI client application", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", - "IntegrityLevel": "System", - "TerminalSessionId": "0", - "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", - "Product": "Microsoft« Windows« Operating System", - "LogonId": "0x3e7" - }, - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, - "ecs": { - "version": "8.0.0" + "working_directory": "C:\\Windows\\system32\\" }, "related": { - "user": [ - "SYSTEM" - ], "hash": [ "6df8163a6320b80b60733f9d62e2f39b4b16b678" - ] - }, - "log": { - "level": "information" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "event": { - "ingested": "2022-01-12T05:21:33.202021417Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.011Z", - "category": [ - "process" ], - "type": [ - "start" + "user": [ + "SYSTEM" ] }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "111", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Sink to receive asynchronous callbacks for WMI client application", + "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", + "Product": "Microsoft« Windows« Operating System", + "TerminalSessionId": "0" + }, + "event_id": "1", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "4", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "image2.pubmatic.com", - "subdomain": "image2", - "registered_domain": "pubmatic.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.182Z", + "dns": { "answers": [ { "data": "pug44000nfc.pubmatic.com", @@ -5885,6 +5792,12 @@ "type": "AAAA" } ], + "question": { + "name": "image2.pubmatic.com", + "registered_domain": "pubmatic.com", + "subdomain": "image2", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -5897,17 +5810,40 @@ "2001:500:856e::30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.182Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "pug44000nfc.pubmatic.com", - "pug44000nf.pubmatic.com", + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pug44000nfc.pubmatic.com", + "pug44000nf.pubmatic.com", "image2.pubmatic.com" ], "ip": [ @@ -5922,67 +5858,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202021926Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "112", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "111", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sam.msn.com", - "subdomain": "sam", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.183Z", + "dns": { "answers": [ { "data": "www.msn.com", @@ -6001,16 +5907,45 @@ "type": "A" } ], + "question": { + "name": "sam.msn.com", + "registered_domain": "msn.com", + "subdomain": "sam", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.183Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6023,67 +5958,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202022535Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "113", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "112", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.sca1b.amazontrust.com", - "subdomain": "ocsp.sca1b", - "registered_domain": "amazontrust.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.222Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -6134,6 +6039,12 @@ "type": "AAAA" } ], + "question": { + "name": "ocsp.sca1b.amazontrust.com", + "registered_domain": "amazontrust.com", + "subdomain": "ocsp.sca1b", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -6149,12 +6060,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.222Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6172,67 +6106,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202023067Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "114", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "113", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c1.adform.net", - "subdomain": "c1", - "registered_domain": "adform.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.271Z", + "dns": { "answers": [ { "data": "track.adformnet.akadns.net", @@ -6251,17 +6155,46 @@ "type": "A" } ], - "resolved_ip": [ - "89.160.20.156", + "question": { + "name": "c1.adform.net", + "registered_domain": "adform.net", + "subdomain": "c1", + "top_level_domain": "net" + }, + "resolved_ip": [ + "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.271Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6273,67 +6206,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202023619Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "115", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "114", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "urs.microsoft.com", - "subdomain": "urs", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.271Z", + "dns": { "answers": [ { "data": "wd-prod-ss.trafficmanager.net", @@ -6368,6 +6271,12 @@ "type": "A" } ], + "question": { + "name": "urs.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "urs", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -6377,12 +6286,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.271Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6399,67 +6331,37 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202024026Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "116", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "115", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dsum-sec.casalemedia.com", - "subdomain": "dsum-sec", - "registered_domain": "casalemedia.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.290Z", + "dns": { "answers": [ { "data": "dsum-sec.casalemedia.com.edgekey.net", @@ -6474,16 +6376,45 @@ "type": "A" } ], + "question": { + "name": "dsum-sec.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "dsum-sec", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.290Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6495,68 +6426,38 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202024512Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "117", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "116", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.godaddy.com", - "subdomain": "ocsp", - "registered_domain": "godaddy.com", - "top_level_domain": "com" }, - "answers": [ + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.292Z", + "dns": { + "answers": [ { "data": "ocsp.godaddy.com.akadns.net", "type": "CNAME" @@ -6566,16 +6467,45 @@ "type": "A" } ], + "question": { + "name": "ocsp.godaddy.com", + "registered_domain": "godaddy.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.292Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6586,266 +6516,233 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202025042Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "118", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "117", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.315Z", "dns": { "question": { "name": "googleads.g.doubleclick.net", - "subdomain": "googleads.g", "registered_domain": "doubleclick.net", + "subdomain": "googleads.g", "top_level_domain": "net" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "googleads.g.doubleclick.net" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202025718Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "googleads.g.doubleclick.net" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "119", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "118", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.315Z", "dns": { "question": { "name": "tpc.googlesyndication.com", - "subdomain": "tpc", "registered_domain": "googlesyndication.com", + "subdomain": "tpc", "top_level_domain": "com" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "tpc.googlesyndication.com" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202026409Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tpc.googlesyndication.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "Sysmon.exe", - "pid": 4616, - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", - "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe" }, - "@timestamp": "2019-03-18T16:57:38.981Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "5", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4516 + "id": 1684 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "119", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202026804Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.981Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:38.981Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", + "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4616 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "120", - "process": { - "pid": 2828, - "thread": { - "id": 1684 + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "5", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.usertrust.com", - "subdomain": "ocsp", - "registered_domain": "usertrust.com", - "top_level_domain": "com" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.333Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -6892,6 +6789,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.usertrust.com", + "registered_domain": "usertrust.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -6905,12 +6808,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.333Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6930,67 +6856,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202027209Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "121", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "120", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "isrg.trustid.ocsp.identrust.com", - "subdomain": "isrg.trustid.ocsp", - "registered_domain": "identrust.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.343Z", + "dns": { "answers": [ { "data": "isrg.trustid.ocsp.identrust.com.edgesuite.net", @@ -7009,17 +6905,46 @@ "type": "A" } ], + "question": { + "name": "isrg.trustid.ocsp.identrust.com", + "registered_domain": "identrust.com", + "subdomain": "isrg.trustid.ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.343Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7031,67 +6956,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202027709Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "122", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "121", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ad.doubleclick.net", - "subdomain": "ad", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.391Z", + "dns": { "answers": [ { "data": "dart.l.doubleclick.net", @@ -7102,138 +6997,136 @@ "type": "A" } ], + "question": { + "name": "ad.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "ad", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.391Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "dart.l.doubleclick.net", - "ad.doubleclick.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202028288Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "Sysmon.exe", - "pid": 4648, - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", - "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe" + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "@timestamp": "2019-03-18T16:57:38.981Z", - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "6", - "process": { - "pid": 4860, + "related": { + "hosts": [ + "dart.l.doubleclick.net", + "ad.doubleclick.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, "thread": { - "id": 4516 + "id": 1684 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "122", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.202028818Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.981Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:38.981Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", + "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4648 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "123", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "6", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.sectigo.com", - "subdomain": "ocsp", - "registered_domain": "sectigo.com", - "top_level_domain": "com" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.393Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -7280,6 +7173,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.sectigo.com", + "registered_domain": "sectigo.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -7293,12 +7192,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.393Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7318,485 +7240,450 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202029364Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "123", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-03-18T16:57:39.012Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2019-03-18T16:57:39.012Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "-Embedding" ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", + "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "hash": { + "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + }, + "name": "WmiPrvSE.exe", "parent": { "args": [ "C:\\Windows\\system32\\svchost.exe", "-k", "DcomLaunch" ], - "name": "svchost.exe", - "pid": 560, "args_count": 3, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", "executable": "C:\\Windows\\System32\\svchost.exe", - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" + "name": "svchost.exe", + "pid": 560 }, "pe": { - "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "company": "Microsoft Corporation", "description": "WMI Provider Host", - "product": "Microsoft« Windows« Operating System", - "company": "Microsoft Corporation" + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft« Windows« Operating System" }, - "name": "WmiPrvSE.exe", "pid": 4508, - "working_directory": "C:\\Windows\\system32\\", - "args_count": 2, - "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", - "hash": { - "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" - }, - "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-18T16:57:39.012Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "7", - "process": { - "pid": 4860, - "thread": { - "id": 4516 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", "event_data": { "Company": "Microsoft Corporation", "Description": "WMI Provider Host", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", - "IntegrityLevel": "System", - "TerminalSessionId": "0", "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", "Product": "Microsoft« Windows« Operating System", - "LogonId": "0x3e7" + "TerminalSessionId": "0" }, + "event_id": "1", "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "7", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:47.847Z", + "destination": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 53 }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" + "event": { + "category": [ + "network" ], - "hash": [ - "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + "code": "3", + "created": "2019-03-18T16:57:49.089Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" ] }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:21:33.202029877Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:39.012Z", - "category": [ - "process" + "network": { + "community_id": "1:o5sHG56d/GR7mu8ASz0uSsv7uF0=", + "direction": "egress", + "protocol": "domain", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], - "type": [ - "start" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 62141 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "8", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "8", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.070Z", "destination": { - "port": 53, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "source": { - "port": 62141, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "network": { - "protocol": "domain", - "community_id": "1:o5sHG56d/GR7mu8ASz0uSsv7uF0=", - "transport": "udp", - "type": "ipv6", - "direction": "egress" + "ip": "10.0.2.3", + "port": 53 }, - "@timestamp": "2019-03-18T16:57:47.847Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "NETWORK SERVICE" - ], - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202030305Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.089Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.089Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "NETWORK SERVICE", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" - }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "9", - "process": { - "pid": 4860, - "thread": { - "id": 4492 - } - }, - "event_id": "3", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, "log": { "level": "information" }, - "destination": { - "port": 53, - "ip": "10.0.2.3" - }, - "source": { - "port": 62141, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, "network": { - "protocol": "domain", "community_id": "1:TXczQujzvcGYSvZ/CKEBu1p2riE=", + "direction": "ingress", + "protocol": "domain", "transport": "udp", - "type": "ipv4", - "direction": "ingress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.070Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, "related": { - "user": [ - "NETWORK SERVICE" - ], "ip": [ "10.0.2.15", "10.0.2.3" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202030811Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.089Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 62141 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "10", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "9", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.148Z", + "destination": { + "ip": "89.160.20.156", + "port": 443 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 443, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 1138, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "https", "community_id": "1:BPIgbA//CuXUCUo7V4pQn4uLQOk=", + "direction": "egress", + "protocol": "https", "transport": "tcp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.148Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 }, "related": { - "user": [ - "vagrant" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202031246Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "vagrant" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1138 + }, "user": { - "name": "vagrant", "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "id": "S-1-5-18", + "name": "vagrant" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "11", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "10", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.214Z", "destination": { - "port": 443, - "ip": "89.160.20.156" + "ip": "89.160.20.156", + "port": 443 }, - "source": { - "port": 1139, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "ecs": { + "version": "8.0.0" }, - "network": { - "protocol": "https", + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "log": { + "level": "information" + }, + "network": { "community_id": "1:FaLCJ8g6qTBdQh1Rvg2/ru25R6M=", + "direction": "egress", + "protocol": "https", "transport": "tcp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.214Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 }, "related": { - "user": [ - "vagrant" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202031889Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "vagrant" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1139 + }, "user": { - "name": "vagrant", "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "vagrant" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "124", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "11", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.int-x3.letsencrypt.org", - "subdomain": "ocsp.int-x3", - "registered_domain": "letsencrypt.org", - "top_level_domain": "org" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.468Z", + "dns": { "answers": [ { "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net", @@ -7815,17 +7702,46 @@ "type": "A" } ], + "question": { + "name": "ocsp.int-x3.letsencrypt.org", + "registered_domain": "letsencrypt.org", + "subdomain": "ocsp.int-x3", + "top_level_domain": "org" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.468Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7837,67 +7753,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202032298Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "125", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "124", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.pki.goog", - "subdomain": "ocsp", - "registered_domain": "pki.goog", - "top_level_domain": "goog" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.581Z", + "dns": { "answers": [ { "data": "pki-goog.l.google.com", @@ -7944,6 +7830,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.pki.goog", + "registered_domain": "pki.goog", + "subdomain": "ocsp", + "top_level_domain": "goog" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -7957,12 +7849,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.581Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7982,146 +7897,115 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202032790Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "12", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "125", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", "destination": { - "port": 137, - "ip": "10.0.2.255" + "ip": "10.0.2.255", + "port": 137 }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", - "transport": "udp", - "type": "ipv4", - "direction": "egress" - }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "10.0.2.15", - "10.0.2.255" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202033277Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.255" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "126", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "12", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "googleads4.g.doubleclick.net", - "subdomain": "googleads4.g", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.872Z", + "dns": { "answers": [ { "data": "pagead.l.doubleclick.net", @@ -8132,16 +8016,45 @@ "type": "A" } ], + "question": { + "name": "googleads4.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads4.g", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.872Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -8152,153 +8065,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202033982Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "13", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "126", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "destination": { - "port": 137, + "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, - "source": { - "port": 137, - "ip": "10.0.2.255" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", - "transport": "udp", - "type": "ipv4", - "direction": "ingress" + "port": 137 }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "10.0.2.255", - "10.0.2.15" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202034784Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", + "direction": "ingress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.255", + "10.0.2.15" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "10.0.2.255", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "127", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "13", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "images.taboola.com", - "subdomain": "images", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.889Z", + "dns": { "answers": [ { "data": "f2.taboola.map.fastly.net", @@ -8321,6 +8203,12 @@ "type": "A" } ], + "question": { + "name": "images.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "images", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -8328,12 +8216,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.889Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -8344,779 +8255,740 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202035415Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "14", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "127", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 5355, - "ip": "ff02:0:0:0:0:0:1:3" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 55542, - "ip": "fe80:0:0:0:e488:b85c:5262:ff86", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "llmnr", "community_id": "1:4DSgubObvMEI9IKNWPDqltrux+k=", + "direction": "egress", + "protocol": "llmnr", "transport": "udp", - "type": "ipv6", - "direction": "egress" + "type": "ipv6" }, - "@timestamp": "2019-03-18T16:57:48.250Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, "related": { - "user": [ - "NETWORK SERVICE" - ], "ip": [ "fe80:0:0:0:e488:b85c:5262:ff86", "ff02:0:0:0:0:0:1:3" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202035846Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "fe80:0:0:0:e488:b85c:5262:ff86", + "port": 55542 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "15", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "14", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", "destination": { - "port": 5355, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 5355 }, - "source": { - "port": 55542, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "network": { - "protocol": "llmnr", - "community_id": "1:zjVE29ipqvMTvzEUbTYQ6tGBM08=", - "transport": "udp", - "type": "ipv6", - "direction": "egress" - }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "NETWORK SERVICE" - ], - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202036279Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:zjVE29ipqvMTvzEUbTYQ6tGBM08=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 55542 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "16", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "15", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", "destination": { - "port": 137, - "ip": "89.160.20.156" + "ip": "89.160.20.156", + "port": 137 }, - "source": { - "port": 137, - "ip": "89.160.20.156" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", - "transport": "udp", - "type": "ipv4", - "direction": "egress" - }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202036885Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, "process": { "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "89.160.20.156", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "17", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "16", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", "destination": { - "port": 137, - "ip": "89.160.20.156" - }, - "source": { - "port": 137, - "ip": "89.160.20.156" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", - "transport": "udp", - "type": "ipv4", - "direction": "ingress" + "ip": "89.160.20.156", + "port": 137 }, - "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202037358Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", + "direction": "ingress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "89.160.20.156", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "18", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "17", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 5355, - "ip": "ff02:0:0:0:0:0:1:3" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 55717, - "ip": "fe80:0:0:0:616f:32fa:b04f:b419" + "log": { + "level": "information" }, "network": { - "protocol": "llmnr", "community_id": "1:Zt/ImHlMNf4MciHXlRDkivgw2jY=", + "direction": "egress", + "protocol": "llmnr", "transport": "udp", - "type": "ipv6", - "direction": "egress" + "type": "ipv6" }, - "@timestamp": "2019-03-18T16:57:48.251Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, "related": { - "user": [ - "NETWORK SERVICE" - ], "ip": [ "fe80:0:0:0:616f:32fa:b04f:b419", "ff02:0:0:0:0:0:1:3" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202037852Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "ip": "fe80:0:0:0:616f:32fa:b04f:b419", + "port": 55717 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "19", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "18", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", "destination": { - "port": 5355, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 5355 }, - "source": { - "port": 55717, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "network": { - "protocol": "llmnr", - "community_id": "1:CbJTXAoYGQFCeKHghMVMZBaSXX0=", - "transport": "udp", - "type": "ipv6", - "direction": "egress" - }, - "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "NETWORK SERVICE" - ], - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202038381Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "NETWORK SERVICE", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "community_id": "1:CbJTXAoYGQFCeKHghMVMZBaSXX0=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "20", - "process": { - "pid": 4860, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 55717 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "19", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.264Z", + "destination": { + "ip": "89.160.20.156", + "port": 137 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 137, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" }, "network": { - "protocol": "netbios-ns", "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", + "direction": "egress", + "protocol": "netbios-ns", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.264Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "event": { - "ingested": "2022-01-12T05:21:33.202038998Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "SYSTEM" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "21", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "20", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.276Z", + "destination": { + "ip": "10.0.2.3", + "port": 137 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 137, - "ip": "10.0.2.3" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" }, "network": { - "protocol": "netbios-ns", "community_id": "1:okFVyky/zOY2Q0BATy37YsbiveA=", + "direction": "egress", + "protocol": "netbios-ns", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.276Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", "10.0.2.3" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "event": { - "ingested": "2022-01-12T05:21:33.202039453Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "SYSTEM" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "22", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "21", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.213Z", + "destination": { + "ip": "89.160.20.156", + "port": 137 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 137, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:50.357Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "netbios-ns", "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", + "direction": "egress", + "protocol": "netbios-ns", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:49.213Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.202039956Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:50.357Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "SYSTEM" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "128", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "22", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "api-s2s.taboola.com", - "subdomain": "api-s2s", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.890Z", + "dns": { "answers": [ { "data": "f2.taboola.map.fastly.net", @@ -9139,6 +9011,12 @@ "type": "A" } ], + "question": { + "name": "api-s2s.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "api-s2s", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -9146,12 +9024,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.890Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9162,67 +9063,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202040351Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "129", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "128", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "x.bidswitch.net", - "subdomain": "x", - "registered_domain": "bidswitch.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.892Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -9233,87 +9104,86 @@ "type": "A" } ], + "question": { + "name": "x.bidswitch.net", + "registered_domain": "bidswitch.net", + "subdomain": "x", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.892Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "x.bidswitch.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202040786Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "x.bidswitch.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "130", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "129", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.adsafeprotected.com", - "subdomain": "pixel", - "registered_domain": "adsafeprotected.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.894Z", + "dns": { "answers": [ { "data": "anycast.pixel.adsafeprotected.com", @@ -9360,6 +9230,12 @@ "type": "A" } ], + "question": { + "name": "pixel.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -9373,12 +9249,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.894Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9398,66 +9297,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202041264Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "131", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "130", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ml314.com", - "top_level_domain": "com", - "registered_domain": "ml314.com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.894Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -9508,6 +9378,11 @@ "type": "A" } ], + "question": { + "name": "ml314.com", + "registered_domain": "ml314.com", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -9523,12 +9398,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.894Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9547,67 +9445,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202041774Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "132", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "131", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "aa.agkn.com", - "subdomain": "aa", - "registered_domain": "agkn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.902Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -9658,6 +9526,12 @@ "type": "AAAA" } ], + "question": { + "name": "aa.agkn.com", + "registered_domain": "agkn.com", + "subdomain": "aa", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -9673,12 +9547,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.902Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9698,67 +9595,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202042319Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "133", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "132", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "s0.2mdn.net", - "subdomain": "s0", - "registered_domain": "2mdn.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.911Z", + "dns": { "answers": [ { "data": "s0-2mdn-net.l.google.com", @@ -9805,6 +9672,12 @@ "type": "A" } ], + "question": { + "name": "s0.2mdn.net", + "registered_domain": "2mdn.net", + "subdomain": "s0", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -9818,12 +9691,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.911Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9843,67 +9739,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202042885Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "134", - "process": { + "event_id": "22", + "opcode": "Info", + "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "133", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "b.scorecardresearch.com", - "subdomain": "b", - "registered_domain": "scorecardresearch.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.911Z", + "dns": { "answers": [ { "data": "b.scorecardresearch.com.edgesuite.net", @@ -9922,17 +9788,46 @@ "type": "A" } ], + "question": { + "name": "b.scorecardresearch.com", + "registered_domain": "scorecardresearch.com", + "subdomain": "b", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.911Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9944,67 +9839,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202043489Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "135", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "134", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "edw.edmunds.com", - "subdomain": "edw", - "registered_domain": "edmunds.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.921Z", + "dns": { "answers": [ { "data": "f2.shared.global.fastly.net", @@ -10027,6 +9892,12 @@ "type": "A" } ], + "question": { + "name": "edw.edmunds.com", + "registered_domain": "edmunds.com", + "subdomain": "edw", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10034,12 +9905,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.548Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.921Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10050,67 +9944,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202043890Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.548Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "136", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "135", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.digicert.com", - "subdomain": "ocsp", - "registered_domain": "digicert.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.101Z", + "dns": { "answers": [ { "data": "cs9.wac.phicdn.net", @@ -10121,87 +9985,86 @@ "type": "A" } ], + "question": { + "name": "ocsp.digicert.com", + "registered_domain": "digicert.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.101Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "cs9.wac.phicdn.net", - "ocsp.digicert.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.202044333Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "137", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } + "related": { + "hosts": [ + "cs9.wac.phicdn.net", + "ocsp.digicert.com" + ], + "ip": [ + "89.160.20.156" + ] }, "sysmon": { "dns": { "status": "SUCCESS" } }, - "log": { - "level": "information" + "user": { + "id": "S-1-5-18" }, - "dns": { - "question": { - "name": "pre-usermatch.targeting.unrulymedia.com", - "subdomain": "pre-usermatch.targeting", - "registered_domain": "unrulymedia.com", - "top_level_domain": "com" + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "136", + "user": { + "identifier": "S-1-5-18" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.137Z", + "dns": { "answers": [ { "data": "usermatch.targeting.unrulymedia.com", @@ -10248,6 +10111,12 @@ "type": "AAAA" } ], + "question": { + "name": "pre-usermatch.targeting.unrulymedia.com", + "registered_domain": "unrulymedia.com", + "subdomain": "pre-usermatch.targeting", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10261,12 +10130,35 @@ "2001:503:83eb::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.137Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10283,67 +10175,37 @@ "2001:503:83eb::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202044894Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "138", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "137", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "farm.plista.com", - "subdomain": "farm", - "registered_domain": "plista.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.141Z", + "dns": { "answers": [ { "data": "farm-hetzner.plista.com", @@ -10398,6 +10260,12 @@ "type": "A" } ], + "question": { + "name": "farm.plista.com", + "registered_domain": "plista.com", + "subdomain": "farm", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10413,12 +10281,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.141Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10436,67 +10327,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202045429Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "139", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "138", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "beacon.krxd.net", - "subdomain": "beacon", - "registered_domain": "krxd.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.168Z", + "dns": { "answers": [ { "data": "beacon-n-ash.lb.krxd.net", @@ -10543,6 +10404,12 @@ "type": "A" } ], + "question": { + "name": "beacon.krxd.net", + "registered_domain": "krxd.net", + "subdomain": "beacon", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10555,12 +10422,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.168Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10573,611 +10463,572 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.202045973Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "23", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "139", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.218Z", + "destination": { + "ip": "89.160.20.156", + "port": 137 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 137, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:50.357Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "netbios-ns", "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", + "direction": "egress", + "protocol": "netbios-ns", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:49.218Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:21:33.207077979Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:50.357Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "SYSTEM" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 4832, - "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-18T16:57:52.350Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "24", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { - "id": 4516 + "id": 4492 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "23", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.350Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207079722Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.354Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:52.354Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { + "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 3208, - "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 4832 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.364Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "25", + "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "24", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.364Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207080365Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.364Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:52.364Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { + "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 3208 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.387Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "26", + "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:04.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "25", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.387Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207081009Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.402Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.402Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" + }, + "log": { + "level": "information" + }, "process": { - "name": "chrome.exe", - "pid": 1600, "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.417Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "27", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:04.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "26", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" - }, + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207081507Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.417Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.417Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" + }, + "log": { + "level": "information" + }, "process": { - "name": "chrome.exe", - "pid": 1600, "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.417Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "28", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:05.028", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "27", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" - }, + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207082071Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.417Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.417Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" + }, + "log": { + "level": "information" + }, "process": { - "name": "chrome.exe", - "pid": 1600, "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.417Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "29", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.028", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:51:54.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "28", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" - }, + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207082636Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.417Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.417Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" + }, + "log": { + "level": "information" }, "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 2680, - "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.433Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "30", + "event_data": { + "CreationUtcTime": "2019-03-18 16:51:54.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "29", "user": { "identifier": "S-1-5-18" - } + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207083651Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.433Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:52.433Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { + "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 2680 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.433Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "31", + "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:08.496", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "30", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def" - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207084522Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.433Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.433Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def", + "extension": "tmp", + "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "140", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:08.496", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "31", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dsum.casalemedia.com", - "subdomain": "dsum", - "registered_domain": "casalemedia.com", - "top_level_domain": "com" }, + "version": 4 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.169Z", + "dns": { "answers": [ { "data": "dsum.casalemedia.com.edgekey.net", @@ -11192,16 +11043,45 @@ "type": "A" } ], + "question": { + "name": "dsum.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "dsum", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.169Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11213,67 +11093,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207085103Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "141", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "140", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.mathtag.com", - "subdomain": "sync", - "registered_domain": "mathtag.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.169Z", + "dns": { "answers": [ { "data": "pixel-origin.mathtag.com", @@ -11324,6 +11174,12 @@ "type": "A" } ], + "question": { + "name": "sync.mathtag.com", + "registered_domain": "mathtag.com", + "subdomain": "sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -11338,12 +11194,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.169Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11361,67 +11240,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207085632Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "142", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "141", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "status.rapidssl.com", - "subdomain": "status", - "registered_domain": "rapidssl.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.184Z", + "dns": { "answers": [ { "data": "ocsp.digicert.com", @@ -11436,16 +11285,45 @@ "type": "A" } ], + "question": { + "name": "status.rapidssl.com", + "registered_domain": "rapidssl.com", + "subdomain": "status", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.184Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11457,67 +11335,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207086172Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "143", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "142", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.extend.tv", - "subdomain": "sync", - "registered_domain": "extend.tv", - "top_level_domain": "tv" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.184Z", + "dns": { "answers": [ { "data": "cookiesyncing-1395500543.us-east-1.elb.amazonaws.com", @@ -11568,6 +11416,12 @@ "type": "A" } ], + "question": { + "name": "sync.extend.tv", + "registered_domain": "extend.tv", + "subdomain": "sync", + "top_level_domain": "tv" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -11582,12 +11436,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.184Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11601,67 +11478,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207086783Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "144", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "143", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.comodoca.com", - "subdomain": "ocsp", - "registered_domain": "comodoca.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.185Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -11708,6 +11555,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.comodoca.com", + "registered_domain": "comodoca.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -11721,12 +11574,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.185Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11746,67 +11622,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207087318Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "145", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "144", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync-tm.everesttech.net", - "subdomain": "sync-tm", - "registered_domain": "everesttech.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.189Z", + "dns": { "answers": [ { "data": "sync.tubemogul.com", @@ -11837,6 +11683,12 @@ "type": "A" } ], + "question": { + "name": "sync-tm.everesttech.net", + "registered_domain": "everesttech.net", + "subdomain": "sync-tm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -11844,12 +11696,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.189Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11862,67 +11737,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207087885Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "146", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "145", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "idsync.rlcdn.com", - "subdomain": "idsync", - "registered_domain": "rlcdn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.237Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -11973,6 +11818,12 @@ "type": "A" } ], + "question": { + "name": "idsync.rlcdn.com", + "registered_domain": "rlcdn.com", + "subdomain": "idsync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -11988,12 +11839,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.237Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12014,67 +11888,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207088458Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "147", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "146", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.adform.net", - "subdomain": "cm", - "registered_domain": "adform.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.274Z", + "dns": { "answers": [ { "data": "track-eu.adformnet.akadns.net", @@ -12105,6 +11949,12 @@ "type": "A" } ], + "question": { + "name": "cm.adform.net", + "registered_domain": "adform.net", + "subdomain": "cm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -12114,12 +11964,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.274Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12130,153 +12003,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207089209Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "148", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "147", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dm.hybrid.ai", - "subdomain": "dm", - "registered_domain": "hybrid.ai", - "top_level_domain": "ai" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.302Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "dm.hybrid.ai", + "registered_domain": "hybrid.ai", + "subdomain": "dm", + "top_level_domain": "ai" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.302Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "dm.hybrid.ai" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207089800Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dm.hybrid.ai" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "149", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "148", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static.adsafeprotected.com", - "subdomain": "static", - "registered_domain": "adsafeprotected.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.304Z", + "dns": { "answers": [ { "data": "anycast.static.adsafeprotected.com", @@ -12323,6 +12165,12 @@ "type": "A" } ], + "question": { + "name": "static.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "static", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12336,12 +12184,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.304Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12361,67 +12232,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207090327Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "150", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "149", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "trc.taboola.com", - "subdomain": "trc", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.322Z", + "dns": { "answers": [ { "data": "f2.taboola.map.fastly.net", @@ -12444,6 +12285,12 @@ "type": "A" } ], + "question": { + "name": "trc.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "trc", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -12451,12 +12298,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.322Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12467,152 +12337,121 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207090836Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "151", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "150", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pippio.com", - "top_level_domain": "com", - "registered_domain": "pippio.com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.379Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "pippio.com", + "registered_domain": "pippio.com", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.379Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "pippio.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207091326Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pippio.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "152", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "151", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel-sync.sitescout.com", - "subdomain": "pixel-sync", - "registered_domain": "sitescout.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.482Z", + "dns": { "answers": [ { "data": "pixel-a.sitescout.com", @@ -12659,6 +12498,12 @@ "type": "A" } ], + "question": { + "name": "pixel-sync.sitescout.com", + "registered_domain": "sitescout.com", + "subdomain": "pixel-sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12672,12 +12517,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.482Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12697,67 +12565,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207091943Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "153", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "152", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "prod.y-medialink.com", - "subdomain": "prod", - "registered_domain": "y-medialink.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.502Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -12804,6 +12642,12 @@ "type": "AAAA" } ], + "question": { + "name": "prod.y-medialink.com", + "registered_domain": "y-medialink.com", + "subdomain": "prod", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12818,12 +12662,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.502Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12843,67 +12710,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207092505Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "154", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "153", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "jadserve.postrelease.com", - "subdomain": "jadserve", - "registered_domain": "postrelease.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.507Z", + "dns": { "answers": [ { "data": "jadserve.postrelease.com.akadns.net", @@ -12934,6 +12771,12 @@ "type": "A" } ], + "question": { + "name": "jadserve.postrelease.com", + "registered_domain": "postrelease.com", + "subdomain": "jadserve", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -12943,83 +12786,76 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.507Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "jadserve.postrelease.com.akadns.net", - "jadserve.postrelease.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207093042Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "jadserve.postrelease.com.akadns.net", + "jadserve.postrelease.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "155", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "154", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "appnexus-partners.tremorhub.com", - "subdomain": "appnexus-partners", - "registered_domain": "tremorhub.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.508Z", + "dns": { "answers": [ { "data": "partners-1732315393.us-east-1.elb.amazonaws.com", @@ -13066,6 +12902,12 @@ "type": "AAAA" } ], + "question": { + "name": "appnexus-partners.tremorhub.com", + "registered_domain": "tremorhub.com", + "subdomain": "appnexus-partners", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13079,12 +12921,35 @@ "2001:503:a83e::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.508Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13097,67 +12962,37 @@ "2001:503:a83e::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207093562Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "156", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "155", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "x.dlx.addthis.com", - "subdomain": "x.dlx", - "registered_domain": "addthis.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.531Z", + "dns": { "answers": [ { "data": "gtm13.nexac.com", @@ -13196,6 +13031,12 @@ "type": "A" } ], + "question": { + "name": "x.dlx.addthis.com", + "registered_domain": "addthis.com", + "subdomain": "x.dlx", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13206,12 +13047,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.531Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13226,67 +13090,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207094590Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "157", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "156", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dh.serving-sys.com", - "subdomain": "dh", - "registered_domain": "serving-sys.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.532Z", + "dns": { "answers": [ { "data": "haproxy-dmp.sizmdx.com", @@ -13325,6 +13159,12 @@ "type": "A" } ], + "question": { + "name": "dh.serving-sys.com", + "registered_domain": "serving-sys.com", + "subdomain": "dh", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13335,89 +13175,82 @@ "192.168.92.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.532Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "haproxy-dmp.sizmdx.com", - "dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com", - "dh.serving-sys.com" - ], - "ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207095145Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "haproxy-dmp.sizmdx.com", + "dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com", + "dh.serving-sys.com" + ], + "ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", + "192.168.14.30", + "2001:503:231d::2:30", + "192.168.92.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "158", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "157", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.sharethrough.com", - "subdomain": "match", - "registered_domain": "sharethrough.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.534Z", + "dns": { "answers": [ { "data": "match-us-east-1.sharethrough.com", @@ -13472,6 +13305,12 @@ "type": "AAAA" } ], + "question": { + "name": "match.sharethrough.com", + "registered_domain": "sharethrough.com", + "subdomain": "match", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13487,12 +13326,35 @@ "2001:503:231d::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.534Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13507,67 +13369,37 @@ "2001:503:231d::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207095671Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "159", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "158", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tags.rd.linksynergy.com", - "subdomain": "tags.rd", - "registered_domain": "linksynergy.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.601Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -13614,6 +13446,12 @@ "type": "AAAA" } ], + "question": { + "name": "tags.rd.linksynergy.com", + "registered_domain": "linksynergy.com", + "subdomain": "tags.rd", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -13628,12 +13466,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.836Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.601Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13653,67 +13514,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207096143Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.836Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "160", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "159", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "rtb-csync.smartadserver.com", - "subdomain": "rtb-csync", - "registered_domain": "smartadserver.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.604Z", + "dns": { "answers": [ { "data": "2-01-275d-002d.cdx.cedexis.net", @@ -13756,6 +13587,12 @@ "type": "A" } ], + "question": { + "name": "rtb-csync.smartadserver.com", + "registered_domain": "smartadserver.com", + "subdomain": "rtb-csync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -13767,13 +13604,36 @@ "192.168.80.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.604Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.836Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, "related": { "hosts": [ "2-01-275d-002d.cdx.cedexis.net", @@ -13791,67 +13651,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207096668Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.836Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "161", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "160", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sc.iasds01.com", - "subdomain": "sc", - "registered_domain": "iasds01.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.621Z", + "dns": { "answers": [ { "data": "anycast.sc.iasds01.com", @@ -13898,6 +13728,12 @@ "type": "A" } ], + "question": { + "name": "sc.iasds01.com", + "registered_domain": "iasds01.com", + "subdomain": "sc", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -13911,12 +13747,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.836Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.621Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13936,67 +13795,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207097268Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.836Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "162", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "161", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dt.adsafeprotected.com", - "subdomain": "dt", - "registered_domain": "adsafeprotected.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.822Z", + "dns": { "answers": [ { "data": "sjedt.adsafeprotected.com", @@ -14043,6 +13872,12 @@ "type": "A" } ], + "question": { + "name": "dt.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "dt", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -14056,12 +13891,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:05.034Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.822Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14081,67 +13939,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207097805Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:05.034Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "163", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "162", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "status.thawte.com", - "subdomain": "status", - "registered_domain": "thawte.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.822Z", + "dns": { "answers": [ { "data": "ocsp.digicert.com", @@ -14156,16 +13984,45 @@ "type": "A" } ], + "question": { + "name": "status.thawte.com", + "registered_domain": "thawte.com", + "subdomain": "status", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:05.034Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.822Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14177,74 +14034,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207098332Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:05.034Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "164", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "163", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.860Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "ads.stickyadstv.com", - "subdomain": "ads", - "registered_domain": "stickyadstv.com", - "top_level_domain": "com" - }, "answers": [ { "data": "ip1.ads.stickyadstv.com.akadns.net", @@ -14291,6 +14118,12 @@ "type": "A" } ], + "question": { + "name": "ads.stickyadstv.com", + "registered_domain": "stickyadstv.com", + "subdomain": "ads", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -14302,12 +14135,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:05.034Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.860Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14320,67 +14176,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207099079Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:05.034Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "165", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "164", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "hbx.media.net", - "subdomain": "hbx", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.904Z", + "dns": { "answers": [ { "data": "hbx.media.net.edgekey.net", @@ -14395,16 +14221,45 @@ "type": "A" } ], + "question": { + "name": "hbx.media.net", + "registered_domain": "media.net", + "subdomain": "hbx", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:06.051Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.904Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14416,67 +14271,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207099701Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:06.051Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "166", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "165", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.taboola.com", - "subdomain": "match", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.911Z", + "dns": { "answers": [ { "data": "trc.taboola.map.fastly.net", @@ -14499,6 +14324,12 @@ "type": "A" } ], + "question": { + "name": "match.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "match", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -14506,12 +14337,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:06.051Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.911Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14522,67 +14376,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207100436Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:06.051Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "167", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "166", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "img-s-msn-com.akamaized.net", - "subdomain": "img-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.056Z", + "dns": { "answers": [ { "data": "a1834.dspg2.akamai.net", @@ -14597,17 +14421,46 @@ "type": "A" } ], + "question": { + "name": "img-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "img-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:06.051Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.056Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14618,67 +14471,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207100971Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:06.051Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "168", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "167", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static-entertainment-eus-s-msn-com.akamaized.net", - "subdomain": "static-entertainment-eus-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.064Z", + "dns": { "answers": [ { "data": "a1505.g2.akamai.net", @@ -14693,17 +14516,46 @@ "type": "A" } ], + "question": { + "name": "static-entertainment-eus-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-entertainment-eus-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.064Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14714,67 +14566,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207101541Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "169", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "168", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "radarmaps.weather.microsoft.com", - "subdomain": "radarmaps.weather", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.178Z", + "dns": { "answers": [ { "data": "radarmaps.weather.microsoft.com.edgekey.net", @@ -14789,16 +14611,45 @@ "type": "A" } ], + "question": { + "name": "radarmaps.weather.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "radarmaps.weather", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.178Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14810,67 +14661,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207102078Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "170", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "169", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static-entertainment-eus-s-msn-com.akamaized.net", - "subdomain": "static-entertainment-eus-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.455Z", + "dns": { "answers": [ { "data": "a1505.g2.akamai.net", @@ -14885,17 +14706,46 @@ "type": "A" } ], + "question": { + "name": "static-entertainment-eus-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-entertainment-eus-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.455Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -14906,67 +14756,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207102578Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "171", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "170", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tag.sp.advertising.com", - "subdomain": "tag.sp", - "registered_domain": "advertising.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.494Z", + "dns": { "answers": [ { "data": "cs747173190.wac.omegacdn.net", @@ -14977,16 +14797,45 @@ "type": "A" } ], + "question": { + "name": "tag.sp.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "tag.sp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.494Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14997,67 +14846,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207103111Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "172", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "171", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.bing.com", - "subdomain": "www", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.567Z", + "dns": { "answers": [ { "data": "a-0001.a-afdentry.net.trafficmanager.net", @@ -15076,17 +14895,46 @@ "type": "A" } ], + "question": { + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.567Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15098,67 +14946,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207103696Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "173", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "172", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cdn.doubleverify.com", - "subdomain": "cdn", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.228Z", + "dns": { "answers": [ { "data": "akacdn.doubleverify.com.edgekey.net", @@ -15173,16 +14991,45 @@ "type": "A" } ], + "question": { + "name": "cdn.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "cdn", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.228Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15194,74 +15041,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207104227Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "174", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "173", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.357Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "cdn3.doubleverify.com", - "subdomain": "cdn3", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" - }, "answers": [ { "data": "cdn.doubleverify.com", @@ -15280,16 +15097,45 @@ "type": "A" } ], + "question": { + "name": "cdn3.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "cdn3", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.357Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15302,67 +15148,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207104965Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "175", - "process": { + "event_id": "22", + "opcode": "Info", + "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "174", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "rtb0.doubleverify.com", - "subdomain": "rtb0", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.721Z", + "dns": { "answers": [ { "data": "bs-geo.dvgtm.akadns.net", @@ -15377,16 +15193,45 @@ "type": "A" } ], + "question": { + "name": "rtb0.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "rtb0", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.721Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15398,67 +15243,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207105538Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "176", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "175", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dev.virtualearth.net", - "subdomain": "dev", - "registered_domain": "virtualearth.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.774Z", + "dns": { "answers": [ { "data": "platform.maps.glbdns2.microsoft.com", @@ -15473,16 +15288,45 @@ "type": "A" } ], + "question": { + "name": "dev.virtualearth.net", + "registered_domain": "virtualearth.net", + "subdomain": "dev", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.774Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15494,67 +15338,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207106095Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "177", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "176", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "t.ssl.ak.dynamic.tiles.virtualearth.net", - "subdomain": "t.ssl.ak.dynamic.tiles", - "registered_domain": "virtualearth.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.847Z", + "dns": { "answers": [ { "data": "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", @@ -15569,16 +15383,45 @@ "type": "A" } ], + "question": { + "name": "t.ssl.ak.dynamic.tiles.virtualearth.net", + "registered_domain": "virtualearth.net", + "subdomain": "t.ssl.ak.dynamic.tiles", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.847Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15590,67 +15433,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207106678Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "178", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "177", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "rp.gwallet.com", - "subdomain": "rp", - "registered_domain": "gwallet.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.943Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -15701,6 +15514,12 @@ "type": "A" } ], + "question": { + "name": "rp.gwallet.com", + "registered_domain": "gwallet.com", + "subdomain": "rp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -15716,12 +15535,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.943Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15742,67 +15584,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207107211Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "179", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "178", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ads.yahoo.com", - "subdomain": "ads", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.945Z", + "dns": { "answers": [ { "data": "fo-fd-world-new.yax.gysm.yahoodns.net", @@ -15825,6 +15637,12 @@ "type": "A" } ], + "question": { + "name": "ads.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "ads", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "98.138.49.44", @@ -15832,12 +15650,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.945Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15849,74 +15690,44 @@ "98.138.49.44" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207107675Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "180", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "179", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.954Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "um.simpli.fi", - "subdomain": "um", - "registered_domain": "simpli.fi", - "top_level_domain": "fi" - }, "answers": [ { "data": "89.160.20.156", @@ -15931,88 +15742,87 @@ "type": "A" } ], + "question": { + "name": "um.simpli.fi", + "registered_domain": "simpli.fi", + "subdomain": "um", + "top_level_domain": "fi" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:07.954Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "um.simpli.fi" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207108382Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { + "related": { + "hosts": [ + "um.simpli.fi" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "181", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "180", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "mpp.vindicosuite.com", - "subdomain": "mpp", - "registered_domain": "vindicosuite.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.955Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -16059,6 +15869,12 @@ "type": "AAAA" } ], + "question": { + "name": "mpp.vindicosuite.com", + "registered_domain": "vindicosuite.com", + "subdomain": "mpp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -16073,12 +15889,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.955Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16098,153 +15937,122 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207108995Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "182", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "181", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.1rx.io", - "subdomain": "sync", - "registered_domain": "1rx.io", - "top_level_domain": "io" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.955Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "sync.1rx.io", + "registered_domain": "1rx.io", + "subdomain": "sync", + "top_level_domain": "io" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:07.955Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "sync.1rx.io" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207109496Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sync.1rx.io" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "183", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "182", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.teads.tv", - "subdomain": "sync", - "registered_domain": "teads.tv", - "top_level_domain": "tv" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.956Z", + "dns": { "answers": [ { "data": "sync.teads.tv.edgekey.net", @@ -16259,16 +16067,45 @@ "type": "A" } ], + "question": { + "name": "sync.teads.tv", + "registered_domain": "teads.tv", + "subdomain": "sync", + "top_level_domain": "tv" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.956Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16280,67 +16117,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207110185Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "184", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "183", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "s.thebrighttag.com", - "subdomain": "s", - "registered_domain": "thebrighttag.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.019Z", + "dns": { "answers": [ { "data": "td.thebrighttag.com", @@ -16391,6 +16198,12 @@ "type": "A" } ], + "question": { + "name": "s.thebrighttag.com", + "registered_domain": "thebrighttag.com", + "subdomain": "s", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -16405,12 +16218,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.019Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16428,67 +16264,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207110776Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "186", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "184", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "t.a3cloud.net", - "subdomain": "t", - "registered_domain": "a3cloud.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.050Z", + "dns": { "answers": [ { "data": "d386jaag4hn9zl.cloudfront.net", @@ -16499,16 +16305,45 @@ "type": "A" } ], + "question": { + "name": "t.a3cloud.net", + "registered_domain": "a3cloud.net", + "subdomain": "t", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.050Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16519,67 +16354,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207111359Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "187", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "186", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tps618.doubleverify.com", - "subdomain": "tps618", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.070Z", + "dns": { "answers": [ { "data": "nycp-hlb.doubleverify.com", @@ -16594,16 +16399,45 @@ "type": "A" } ], + "question": { + "name": "tps618.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps618", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.070Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16615,67 +16449,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207111915Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "188", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "187", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dpm.demdex.net", - "subdomain": "dpm", - "registered_domain": "demdex.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.090Z", + "dns": { "answers": [ { "data": "gslb-2.demdex.net", @@ -16726,6 +16530,12 @@ "type": "A" } ], + "question": { + "name": "dpm.demdex.net", + "registered_domain": "demdex.net", + "subdomain": "dpm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -16738,12 +16548,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.090Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16757,67 +16590,37 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207112428Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "189", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "188", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "secure.adnxs.com", - "subdomain": "secure", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.308Z", + "dns": { "answers": [ { "data": "g.geogslb.com", @@ -16872,6 +16675,12 @@ "type": "A" } ], + "question": { + "name": "secure.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "secure", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -16886,12 +16695,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.308Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16906,67 +16738,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207112930Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "190", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "189", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tps.doubleverify.com", - "subdomain": "tps", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.478Z", + "dns": { "answers": [ { "data": "tps-geo.dvgtm.akadns.net", @@ -16981,16 +16783,45 @@ "type": "A" } ], + "question": { + "name": "tps.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.478Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17002,67 +16833,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207113432Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "191", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "190", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "i.liadm.com", - "subdomain": "i", - "registered_domain": "liadm.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.536Z", + "dns": { "answers": [ { "data": "idaas-production.us-east-1.elasticbeanstalk.com", @@ -17113,6 +16914,12 @@ "type": "A" } ], + "question": { + "name": "i.liadm.com", + "registered_domain": "liadm.com", + "subdomain": "i", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17127,12 +16934,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.536Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17146,67 +16976,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207114050Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "192", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "191", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.s3xified.com", - "subdomain": "pixel", - "registered_domain": "s3xified.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.544Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17257,6 +17057,12 @@ "type": "A" } ], + "question": { + "name": "pixel.s3xified.com", + "registered_domain": "s3xified.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -17272,12 +17078,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.544Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17298,67 +17127,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207114715Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "193", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "192", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "router.infolinks.com", - "subdomain": "router", - "registered_domain": "infolinks.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.550Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17405,6 +17204,12 @@ "type": "A" } ], + "question": { + "name": "router.infolinks.com", + "registered_domain": "infolinks.com", + "subdomain": "router", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17419,91 +17224,84 @@ "192.168.94.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.550Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "router.infolinks.com" - ], - "ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30", - "192.168.94.30" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207115232Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "router.infolinks.com" + ], + "ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", + "192.168.14.30", + "2001:503:231d::2:30", + "192.168.92.30", + "2001:503:83eb::30", + "192.168.80.30", + "2001:500:856e::30", + "192.168.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "194", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "193", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "grey.erne.co", - "subdomain": "grey", - "registered_domain": "erne.co", - "top_level_domain": "co" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.552Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17546,6 +17344,12 @@ "type": "A" } ], + "question": { + "name": "grey.erne.co", + "registered_domain": "erne.co", + "subdomain": "grey", + "top_level_domain": "co" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17559,82 +17363,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.552Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "grey.erne.co" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207115965Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "grey.erne.co" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "195", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "194", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.jivox.com", - "subdomain": "sync", - "registered_domain": "jivox.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.552Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17685,6 +17482,12 @@ "type": "AAAA" } ], + "question": { + "name": "sync.jivox.com", + "registered_domain": "jivox.com", + "subdomain": "sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17700,12 +17503,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.552Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17725,67 +17551,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207116485Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "196", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "195", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "b1sync.zemanta.com", - "subdomain": "b1sync", - "registered_domain": "zemanta.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.594Z", + "dns": { "answers": [ { "data": "b1-lsw-use1.zemanta.com", @@ -18000,6 +17796,12 @@ "type": "AAAA" } ], + "question": { + "name": "b1sync.zemanta.com", + "registered_domain": "zemanta.com", + "subdomain": "b1sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18055,15 +17857,38 @@ "2001:502:7094::30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.594Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ "b1-lsw-use1.zemanta.com", "b1sync.zemanta.com" ], @@ -18093,67 +17918,37 @@ "2001:502:7094::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207117066Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "197", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "196", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tg.socdm.com", - "subdomain": "tg", - "registered_domain": "socdm.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.619Z", + "dns": { "answers": [ { "data": "tg3.dr.socdm.com", @@ -18216,6 +18011,12 @@ "type": "AAAA" } ], + "question": { + "name": "tg.socdm.com", + "registered_domain": "socdm.com", + "subdomain": "tg", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18233,12 +18034,35 @@ "2001:503:a83e::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.619Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18251,74 +18075,44 @@ "2001:503:a83e::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207117916Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "198", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "197", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.620Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "prebid.adnxs.com", - "subdomain": "prebid", - "registered_domain": "adnxs.com", - "top_level_domain": "com" - }, "answers": [ { "data": "prebid.appnexusgslb.net", @@ -18329,16 +18123,45 @@ "type": "A" } ], + "question": { + "name": "prebid.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "prebid", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.620Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18349,67 +18172,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207118584Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "199", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "198", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ul1.dvtps.com", - "subdomain": "ul1", - "registered_domain": "dvtps.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.811Z", + "dns": { "answers": [ { "data": "tps.doubleverify.com", @@ -18428,16 +18221,45 @@ "type": "A" } ], + "question": { + "name": "ul1.dvtps.com", + "registered_domain": "dvtps.com", + "subdomain": "ul1", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.811Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18450,141 +18272,110 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207119190Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "200", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "199", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.912Z", "dns": { "question": { "name": "ul1.dvtps.com", - "subdomain": "ul1", "registered_domain": "dvtps.com", + "subdomain": "ul1", "top_level_domain": "com" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.912Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ul1.dvtps.com" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207119839Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ul1.dvtps.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "201", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "200", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tags.bluekai.com", - "subdomain": "tags", - "registered_domain": "bluekai.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.016Z", + "dns": { "answers": [ { "data": "tags.bluekai.com.edgekey.net", @@ -18599,16 +18390,45 @@ "type": "A" } ], + "question": { + "name": "tags.bluekai.com", + "registered_domain": "bluekai.com", + "subdomain": "tags", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.068Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.016Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18620,67 +18440,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207120484Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.068Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "202", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "201", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cdnjs.cloudflare.com", - "subdomain": "cdnjs", - "registered_domain": "cloudflare.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.048Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -18731,6 +18521,12 @@ "type": "A" } ], + "question": { + "name": "cdnjs.cloudflare.com", + "registered_domain": "cloudflare.com", + "subdomain": "cdnjs", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18746,12 +18542,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.048Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18768,67 +18587,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207120999Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "203", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "202", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.onaudience.com", - "subdomain": "pixel", - "registered_domain": "onaudience.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.051Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -18879,6 +18668,12 @@ "type": "AAAA" } ], + "question": { + "name": "pixel.onaudience.com", + "registered_domain": "onaudience.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18894,12 +18689,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.051Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18917,67 +18735,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207121553Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "204", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "203", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "status.geotrust.com", - "subdomain": "status", - "registered_domain": "geotrust.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.054Z", + "dns": { "answers": [ { "data": "ocsp.digicert.com", @@ -18992,16 +18780,45 @@ "type": "A" } ], + "question": { + "name": "status.geotrust.com", + "registered_domain": "geotrust.com", + "subdomain": "status", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.054Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19013,67 +18830,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207122079Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "205", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "204", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.trust-provider.com", - "subdomain": "ocsp", - "registered_domain": "trust-provider.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.126Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -19120,10 +18907,16 @@ "type": "A" } ], - "resolved_ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", + "question": { + "name": "ocsp.trust-provider.com", + "registered_domain": "trust-provider.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", "192.168.14.30", "2001:503:231d::2:30", "192.168.92.30", @@ -19133,12 +18926,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.126Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19158,74 +18974,44 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207122669Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "206", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "205", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.184Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "ocsp.comodoca4.com", - "subdomain": "ocsp", - "registered_domain": "comodoca4.com", - "top_level_domain": "com" - }, "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -19272,6 +19058,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.comodoca4.com", + "registered_domain": "comodoca4.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -19285,12 +19077,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.184Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19310,67 +19125,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207123309Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "207", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "206", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.crwdcntrl.net", - "subdomain": "sync", - "registered_domain": "crwdcntrl.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.322Z", + "dns": { "answers": [ { "data": "td.crwdcntrl.net", @@ -19417,6 +19202,12 @@ "type": "A" } ], + "question": { + "name": "sync.crwdcntrl.net", + "registered_domain": "crwdcntrl.net", + "subdomain": "sync", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -19429,12 +19220,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.322Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19447,67 +19261,37 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207123846Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "208", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "207", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.sync.ad.cpe.dotomi.com", - "subdomain": "match.sync.ad.cpe", - "registered_domain": "dotomi.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.730Z", + "dns": { "answers": [ { "data": "cpe.us.dotomi.weighted.com.akadns.net", @@ -19546,6 +19330,12 @@ "type": "A" } ], + "question": { + "name": "match.sync.ad.cpe.dotomi.com", + "registered_domain": "dotomi.com", + "subdomain": "match.sync.ad.cpe", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -19555,12 +19345,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.730Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19578,74 +19391,44 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207124305Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "209", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "208", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.627Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "tps10230.doubleverify.com", - "subdomain": "tps10230", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" - }, "answers": [ { "data": "nycp-hlb.doubleverify.com", @@ -19660,16 +19443,45 @@ "type": "A" } ], + "question": { + "name": "tps10230.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps10230", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:11.066Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:10.627Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19681,74 +19493,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207124904Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:11.066Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "210", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "209", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.650Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "tps10221.doubleverify.com", - "subdomain": "tps10221", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" - }, "answers": [ { "data": "nycp-hlb.doubleverify.com", @@ -19763,88 +19545,87 @@ "type": "A" } ], + "question": { + "name": "tps10221.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps10221", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:10.650Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "nycp-hlb.doubleverify.com", - "nycp-hlb.dvgtm.akadns.net", - "tps10221.doubleverify.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207125734Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:11.066Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:11.066Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "nycp-hlb.doubleverify.com", + "nycp-hlb.dvgtm.akadns.net", + "tps10221.doubleverify.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "212", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "210", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.facebook.com", - "subdomain": "www", - "registered_domain": "facebook.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.329Z", + "dns": { "answers": [ { "data": "star-mini.c10r.facebook.com", @@ -19891,6 +19672,12 @@ "type": "A" } ], + "question": { + "name": "www.facebook.com", + "registered_domain": "facebook.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -19904,12 +19691,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:17.272Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:16.329Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19929,67 +19739,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207126268Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:17.272Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "213", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "212", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "platform.twitter.com", - "subdomain": "platform", - "registered_domain": "twitter.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.386Z", + "dns": { "answers": [ { "data": "cs472.wac.edgecastcdn.net", @@ -20016,16 +19796,45 @@ "type": "A" } ], + "question": { + "name": "platform.twitter.com", + "registered_domain": "twitter.com", + "subdomain": "platform", + "top_level_domain": "com" + }, "resolved_ip": [ "192.168.163.25" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:17.272Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:16.386Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20040,67 +19849,37 @@ "192.168.163.25" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207126816Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:17.272Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "214", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "213", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "syndication.twitter.com", - "subdomain": "syndication", - "registered_domain": "twitter.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.482Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -20151,6 +19930,12 @@ "type": "AAAA" } ], + "question": { + "name": "syndication.twitter.com", + "registered_domain": "twitter.com", + "subdomain": "syndication", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -20166,12 +19951,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:17.272Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:16.482Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20189,67 +19997,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207127375Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:17.272Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "215", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "214", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ade.googlesyndication.com", - "subdomain": "ade", - "registered_domain": "googlesyndication.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:19.578Z", + "dns": { "answers": [ { "data": "pagead.l.doubleclick.net", @@ -20260,16 +20038,45 @@ "type": "A" } ], + "question": { + "name": "ade.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "ade", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:21.552Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:19.578Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20280,67 +20087,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207127918Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:21.552Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "216", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "215", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "iecvlist.microsoft.com", - "subdomain": "iecvlist", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:31.219Z", + "dns": { "answers": [ { "data": "ie9comview.vo.msecnd.net", @@ -20355,16 +20132,45 @@ "type": "A" } ], + "question": { + "name": "iecvlist.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "iecvlist", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:33.148Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:31.219Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -20376,67 +20182,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207128455Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:33.148Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 844, - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "220", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "216", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tsfe.trafficshaping.dsp.mp.microsoft.com", - "subdomain": "tsfe.trafficshaping.dsp.mp", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:02.752Z", + "dns": { "answers": [ { "data": "tsfe.trafficmanager.net", @@ -20447,304 +20223,300 @@ "type": "A" } ], + "question": { + "name": "tsfe.trafficshaping.dsp.mp.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "tsfe.trafficshaping.dsp.mp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:39:02.752Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "tsfe.trafficmanager.net", - "tsfe.trafficshaping.dsp.mp.microsoft.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207128926Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:39:03.685Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:39:03.685Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "svchost.exe", - "pid": 844, "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 844 + }, + "related": { + "hosts": [ + "tsfe.trafficmanager.net", + "tsfe.trafficshaping.dsp.mp.microsoft.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "221", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "220", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:20.413Z", "dns": { "question": { "name": "isatap.local.crowbird.com", - "subdomain": "isatap.local", "registered_domain": "crowbird.com", + "subdomain": "isatap.local", "top_level_domain": "com" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:39:20.413Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "isatap.local.crowbird.com" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207129504Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:39:22.432Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:39:22.432Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 844 + }, + "related": { + "hosts": [ + "isatap.local.crowbird.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "ruby.exe", - "pid": 676, - "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", - "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "230", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "221", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:40.504Z", "dns": { "question": { "name": "puppet" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:39:40.504Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "puppet" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207130060Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:39:42.554Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:39:42.554Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", + "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", + "name": "ruby.exe", + "pid": 676 + }, + "related": { + "hosts": [ + "puppet" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 636, - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "231", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "230", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:40:40.433Z", "dns": { "question": { "name": "wpad" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:40:40.433Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "wpad" - ] - }, "event": { - "ingested": "2022-01-12T05:21:33.207130553Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:40:42.447Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:40:42.447Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "pid": 1788, - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "pid": 636 + }, + "related": { + "hosts": [ + "wpad" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "232", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "231", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "v10.vortex-win.data.microsoft.com", - "subdomain": "v10.vortex-win.data", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, - "answers": [ + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:42:54.033Z", + "dns": { + "answers": [ { "data": "v10-win.vortex.data.microsoft.com.akadns.net", "type": "CNAME" @@ -20762,16 +20534,45 @@ "type": "A" } ], + "question": { + "name": "v10.vortex-win.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "v10.vortex-win.data", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:42:55.556Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:42:54.033Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 1788 }, "related": { "hosts": [ @@ -20784,67 +20585,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207131114Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:42:55.556Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 1788, - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "233", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "232", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "settings-win.data.microsoft.com", - "subdomain": "settings-win.data", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:43:04.400Z", + "dns": { "answers": [ { "data": "settingsfd-geo.trafficmanager.net", @@ -20855,16 +20626,45 @@ "type": "A" } ], + "question": { + "name": "settings-win.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "settings-win.data", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:43:06.459Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:43:04.400Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 1788 }, "related": { "hosts": [ @@ -20875,316 +20675,309 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207131645Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:43:06.459Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "233", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2020-10-27T20:00:14.320Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2020-10-27T20:00:14.324Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\system32\\notepad.exe" ], + "args_count": 1, + "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ", + "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "executable": "C:\\Windows\\System32\\notepad.exe", + "hash": { + "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" + }, + "name": "notepad.exe", "parent": { "args": [ "C:\\Windows\\Explorer.EXE" ], - "name": "explorer.exe", - "pid": 4212, "args_count": 1, + "command_line": "C:\\Windows\\Explorer.EXE", "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", "executable": "C:\\Windows\\explorer.exe", - "command_line": "C:\\Windows\\Explorer.EXE" + "name": "explorer.exe", + "pid": 4212 }, "pe": { - "file_version": "10.0.17763.475 (WinBuild.160101.0800)", + "company": "Microsoft Corporation", "description": "Notepad", - "product": "Microsoft« Windows« Operating System", + "file_version": "10.0.17763.475 (WinBuild.160101.0800)", "original_file_name": "NOTEPAD.EXE", - "company": "Microsoft Corporation" + "product": "Microsoft« Windows« Operating System" }, - "name": "notepad.exe", "pid": 3616, - "working_directory": "C:\\Users\\vagrant\\", - "args_count": 1, - "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", - "hash": { - "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" - }, - "executable": "C:\\Windows\\System32\\notepad.exe", - "command_line": "\"C:\\Windows\\system32\\notepad.exe\" " + "working_directory": "C:\\Users\\vagrant\\" + }, + "related": { + "hash": [ + "b6d237154f2e528f0b503b58b025862d66b02b73" + ], + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" }, - "@timestamp": "2020-10-27T20:00:14.320Z", "winlog": { - "computer_name": "vagrant", - "record_id": "20", - "process": { - "pid": 7144, - "thread": { - "id": 6876 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", "event_data": { "Company": "Microsoft Corporation", "Description": "Notepad", - "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", - "IntegrityLevel": "Medium", - "TerminalSessionId": "1", "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", + "IntegrityLevel": "Medium", + "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", + "LogonId": "0x2c9e7", "Product": "Microsoft« Windows« Operating System", - "LogonId": "0x2c9e7" + "TerminalSessionId": "1" }, + "event_id": "1", "opcode": "Info", + "process": { + "pid": 7144, + "thread": { + "id": 6876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "20", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2021-02-25T14:43:23.550Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ], - "hash": [ - "b6d237154f2e528f0b503b58b025862d66b02b73" - ] - }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207132170Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-10-27T20:00:14.324Z", "category": [ "process" ], + "code": "25", + "created": "2021-02-25T14:43:23.551Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ - "start" + "change" ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-18" - } - }, - { + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "message": "Image is replaced", "process": { - "name": "git.exe", - "pid": 2628, "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", - "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe" + "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "name": "git.exe", + "pid": 2628 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2021-02-25T14:43:23.550Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", - "record_id": "10737797", + "event_id": "25", + "opcode": "Info", "process": { "pid": 3800, "thread": { "id": 5080 } }, - "event_id": "25", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "10737797", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-12T06:48:27.084Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, - "host": { - "name": "DESKTOP-I9CQVAQ" - }, "event": { - "ingested": "2022-01-12T05:21:33.207132876Z", - "code": "25", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2021-02-25T14:43:23.551Z", "category": [ - "process" + "file" ], + "code": "23", + "created": "2020-05-12T06:48:27.084Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ - "change" + "deletion" ] }, - "message": "Image is replaced", - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Windows\\System32\\LogFiles\\Scm", + "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", + "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" + }, + "log": { + "level": "information" + }, "process": { - "name": "svchost.exe", - "pid": 820, "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", + "executable": "C:\\Windows\\system32\\svchost.exe", "hash": { "md5": "5a9bddf83be530b481f0fd24db28a6ff" }, - "executable": "C:\\Windows\\system32\\svchost.exe" + "name": "svchost.exe", + "pid": 820 + }, + "related": { + "hash": [ + "5a9bddf83be530b481f0fd24db28a6ff" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "2243", + "event_id": "23", + "opcode": "Info", "process": { "pid": 1188, "thread": { "id": 1600 } }, - "event_id": "23", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2243", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": false - } - }, - "@timestamp": "2020-05-12T06:48:27.084Z", - "file": { - "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", - "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d", - "directory": "C:\\Windows\\System32\\LogFiles\\Scm" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-10-28T02:39:26.374Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "hash": [ - "5a9bddf83be530b481f0fd24db28a6ff" - ] - }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207133423Z", - "code": "23", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-12T06:48:27.084Z", "category": [ - "file" + "process" ], + "code": "7", + "created": "2020-10-28T02:39:26.388Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ - "deletion" + "change" ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "dllhost.exe", - "pid": 5184, - "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", - "executable": "C:\\Windows\\System32\\dllhost.exe" - }, - "@timestamp": "2020-10-28T02:39:26.374Z", - "winlog": { - "computer_name": "vagrant", - "record_id": "10685", - "process": { - "pid": 1676, - "thread": { - "id": 4796 - } - }, - "event_id": "7", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "SignatureStatus": "Valid", - "Company": "Microsoft Corporation", - "Description": "Identity Store", - "Signed": "true", - "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", - "Signature": "Microsoft Windows", - "Product": "Microsoft« Windows« Operating System" - }, - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, - "user": { - "identifier": "S-1-5-18" - } - }, "file": { - "path": "C:\\Windows\\System32\\IDStore.dll", - "extension": "dll", "code_signature": { - "valid": true, + "status": "Valid", "subject_name": "Microsoft Windows", - "status": "Valid" + "valid": true }, - "pe": { - "file_version": "10.0.17763.1 (WinBuild.160101.0800)", - "description": "Identity Store", - "product": "Microsoft« Windows« Operating System", - "original_file_name": "IdStore.dll", - "company": "Microsoft Corporation", - "imphash": "194f3797b52231028c718b6d776c6853" - }, - "name": "IDStore.dll", "directory": "C:\\Windows\\System32", + "extension": "dll", "hash": { + "md5": "c7c45610f644906e6f7d664ef2e45b08", "sha1": "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", - "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e", - "md5": "c7c45610f644906e6f7d664ef2e45b08" + "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e" + }, + "name": "IDStore.dll", + "path": "C:\\Windows\\System32\\IDStore.dll", + "pe": { + "company": "Microsoft Corporation", + "description": "Identity Store", + "file_version": "10.0.17763.1 (WinBuild.160101.0800)", + "imphash": "194f3797b52231028c718b6d776c6853", + "original_file_name": "IdStore.dll", + "product": "Microsoft« Windows« Operating System" } }, - "ecs": { - "version": "8.0.0" + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", + "executable": "C:\\Windows\\System32\\dllhost.exe", + "name": "dllhost.exe", + "pid": 5184 }, "related": { "hash": [ @@ -21194,258 +20987,228 @@ "194f3797b52231028c718b6d776c6853" ] }, - "log": { - "level": "information" - }, - "event": { - "ingested": "2022-01-12T05:21:33.207133895Z", - "code": "7", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-10-28T02:39:26.388Z", - "category": [ - "process" - ], - "type": [ - "change" - ] - }, "user": { "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "value": "HRZR_PGYFRFFVBA", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" - }, - "process": { - "name": "Explorer.EXE", - "pid": 4320, - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE" }, - "@timestamp": "2020-05-05T14:57:46.808Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", - "record_id": "2691", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Identity Store", + "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", + "Product": "Microsoft« Windows« Operating System", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "Signed": "true" + }, + "event_id": "7", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 1676, "thread": { - "id": 876 + "id": 4796 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "10685", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207134456Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:46.818Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:46.818Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { - "name": "vmtoolsd.exe", - "pid": 2144, - "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", - "hash": { - "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" - }, - "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "user": { + "id": "S-1-5-18" }, "winlog": { - "computer_name": "DESKTOP-I9CQVAQ", - "record_id": "10757412", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { - "pid": 3800, + "pid": 5496, "thread": { - "id": 6444 + "id": 876 } }, - "event_id": "24", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", - "Session": "1" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2691", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true - } - }, + }, + "version": 2 + } + }, + { "@timestamp": "2021-02-25T15:04:48.592Z", "ecs": { "version": "8.0.0" }, - "related": { - "hash": [ - "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" - ] - }, - "log": { - "level": "information" - }, - "host": { - "name": "DESKTOP-I9CQVAQ" - }, "event": { - "ingested": "2022-01-12T05:21:33.207135151Z", "code": "24", + "created": "2021-02-25T15:04:48.607Z", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2021-02-25T15:04:48.607Z", "type": [ "change" ] }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", + "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "hash": { + "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + }, + "name": "vmtoolsd.exe", + "pid": 2144 + }, + "related": { + "hash": [ + "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + ] + }, + "sysmon": { + "file": { + "archived": true + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" }, - "@timestamp": "2019-03-18T16:57:52.433Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "32", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", + "Session": "1" + }, + "event_id": "24", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 3800, "thread": { - "id": 4516 + "id": 6444 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:05.339", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "10757412", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:21:33.207135620Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.433Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.433Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def", + "extension": "tmp", + "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "234", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.339", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "32", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c.urs.microsoft.com", - "subdomain": "c.urs", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 4 + } + }, + { + "@timestamp": "2019-07-18T03:49:51.154Z", + "dns": { "answers": [ { "data": "wd-prod-ss.trafficmanager.net", @@ -21484,6 +21247,12 @@ "type": "AAAA" } ], + "question": { + "name": "c.urs.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "c.urs", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -21494,12 +21263,35 @@ "2001:503:83eb::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:49:52.105Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:49:51.154Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -21517,24 +21309,32 @@ "2001:503:83eb::30" ] }, - "event": { - "ingested": "2022-01-12T05:21:33.207136142Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:49:52.105Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "234", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } } ] diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index 5e337c79e6f..e3a2bea6ad8 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -27,9 +27,6 @@ processors: ignore_failure: true if: ctx?.winlog?.event_data?.UtcTime != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event From c7f8ba78a49217a028f97be96c2c4dd54600fcf9 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 25 Jan 2022 12:42:24 +1030 Subject: [PATCH 2/4] packages/windows/sysmon_operational: add sysmon event 26 handler --- packages/windows/changelog.yml | 5 + .../_dev/test/pipeline/test-events.json | 88 +++++++++++ .../pipeline/test-events.json-expected.json | 148 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 7 +- packages/windows/manifest.yml | 2 +- 5 files changed, 248 insertions(+), 2 deletions(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index b9463cbdec5..43e923bfd8e 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.0" + changes: + - description: Add sysmon event 26 handling + type: enhancement + link: https://github.com/elastic/integrations/pull/xxxx - version: "1.9.0" changes: - description: Expose winlog input ignore_older option. diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json index b4bd0afd978..7d664674210 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json @@ -8568,6 +8568,94 @@ } } } + }, + { + "@timestamp": "2021-05-05T15:30:51.724Z", + "log": { + "level": "information" + }, + "event": { + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:34.329980300Z'/\u003e\u003cEventRecordID\u003e456\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:34.328\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-a2b4-61ee-1b00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1264\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "code": "26", + "kind": "event" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Hashes": "SHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79", + "Image": "C:\\Windows\\System32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{63a74932-a2b4-61ee-1b00-000000000700}", + "ProcessId": "1264", + "RuleName": "-", + "TargetFilename": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat", + "User": "NT AUTHORITY\\LOCAL SERVICE", + "UtcTime": "2022-01-24 05:12:34.328" + }, + "event_id": "26", + "level": "information", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 456, + "time_created": "2022-01-24T05:12:34.3299803Z", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2021-05-05T15:30:51.731Z", + "log": { + "level": "information" + }, + "event": { + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:51.042270000Z'/\u003e\u003cEventRecordID\u003e457\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:51.031\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-3523-61ee-af00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1364\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "code": "26", + "kind": "event" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Hashes": "SHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B", + "Image": "C:\\Windows\\system32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{63a74932-3523-61ee-af00-000000000700}", + "ProcessId": "1364", + "RuleName": "-", + "TargetFilename": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2022-01-24 05:12:51.031" + }, + "event_id": "26", + "level": "information", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 457, + "time_created": "2022-01-24T05:12:51.04227Z", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json index b86786e1942..bc22503238e 100644 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json @@ -21336,6 +21336,154 @@ }, "version": 5 } + }, + { + "@timestamp": "2022-01-24T05:12:34.328Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "file" + ], + "code": "26", + "created": "2022-01-24T05:12:34.329Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:34.329980300Z'/\u003e\u003cEventRecordID\u003e456\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:34.328\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-a2b4-61ee-1b00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1264\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Windows\\ServiceState\\EventLog\\Data", + "extension": "dat", + "name": "lastalive1.dat", + "path": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + }, + "name": "svchost.exe", + "pid": 1264 + }, + "related": { + "hash": [ + "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + ], + "user": [ + "LOCAL SERVICE" + ] + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "LOCAL SERVICE" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "456", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2022-01-24T05:12:51.031Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "file" + ], + "code": "26", + "created": "2022-01-24T05:12:51.042Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:51.042270000Z'/\u003e\u003cEventRecordID\u003e457\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:51.031\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-3523-61ee-af00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1364\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache", + "extension": "000", + "name": "OLDCACHE.000", + "path": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-3523-61ee-af00-000000000700}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + }, + "name": "svchost.exe", + "pid": 1364 + }, + "related": { + "hash": [ + "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "457", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index e3a2bea6ad8..1731bc0dcce 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -143,6 +143,11 @@ processors: - process type: - change + "26": + category: + - file + type: + - deletion tag: Add ECS categorization fields source: |- if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { @@ -234,7 +239,7 @@ processors: target_field: process.hash if: |- ctx?._temp?.hashes != null && - ["1", "23", "24", "25"].contains(ctx.event.code) + ["1", "23", "24", "25", "26"].contains(ctx.event.code) - rename: field: process.hash.imphash target_field: process.pe.imphash diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index e5b9fe2cf65..cedbc30e247 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.9.0 +version: 1.10.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: From 1cb174fcbdef28b0cd477dd65d9eb97f9abc869b Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 27 Jan 2022 07:39:11 +1030 Subject: [PATCH 3/4] packages/windows/forwarded: normalise field order and remove event.ingested --- .../test-powershell-events.json-expected.json | 324 +- ...hell-operational-events.json-expected.json | 324 +- .../test-security-1100.json-expected.json | 75 +- .../test-security-1102.json-expected.json | 109 +- .../test-security-1104.json-expected.json | 75 +- .../test-security-1105.json-expected.json | 85 +- ...ity-4670-windowssrv2016.json-expected.json | 139 +- ...ity-4706-windowssrv2016.json-expected.json | 127 +- ...ity-4707-windowssrv2016.json-expected.json | 113 +- ...ity-4713-windowssrv2016.json-expected.json | 113 +- ...ity-4716-windowssrv2016.json-expected.json | 127 +- ...ity-4717-windowssrv2016.json-expected.json | 115 +- ...ity-4718-windowssrv2016.json-expected.json | 115 +- ...ity-4719-windowssrv2016.json-expected.json | 129 +- .../test-security-4719.json-expected.json | 131 +- ...ity-4739-windowssrv2016.json-expected.json | 125 +- .../test-security-4743.json-expected.json | 131 +- .../test-security-4744.json-expected.json | 129 +- .../test-security-4745.json-expected.json | 129 +- .../test-security-4746.json-expected.json | 139 +- .../test-security-4747.json-expected.json | 139 +- .../test-security-4748.json-expected.json | 125 +- .../test-security-4749.json-expected.json | 129 +- .../test-security-4750.json-expected.json | 129 +- .../test-security-4751.json-expected.json | 139 +- .../test-security-4752.json-expected.json | 139 +- .../test-security-4753.json-expected.json | 125 +- .../test-security-4759.json-expected.json | 129 +- .../test-security-4760.json-expected.json | 129 +- .../test-security-4761.json-expected.json | 139 +- .../test-security-4762.json-expected.json | 139 +- .../test-security-4763.json-expected.json | 125 +- ...ity-4817-windowssrv2016.json-expected.json | 125 +- ...ity-4902-windowssrv2016.json-expected.json | 83 +- ...ity-4904-windowssrv2016.json-expected.json | 123 +- ...ity-4905-windowssrv2016.json-expected.json | 123 +- ...ity-4906-windowssrv2016.json-expected.json | 81 +- ...ity-4907-windowssrv2016.json-expected.json | 129 +- ...curity-windows2012-4673.json-expected.json | 123 +- ...curity-windows2012-4697.json-expected.json | 129 +- ...curity-windows2012-4768.json-expected.json | 141 +- ...curity-windows2012-4769.json-expected.json | 139 +- ...curity-windows2012-4770.json-expected.json | 129 +- ...curity-windows2012-4771.json-expected.json | 129 +- ...curity-windows2012-4776.json-expected.json | 105 +- ...curity-windows2012-4778.json-expected.json | 125 +- ...curity-windows2012-4779.json-expected.json | 125 +- ...ity-windows2012r2-logon.json-expected.json | 2560 ++- ...16-4722-account-enabled.json-expected.json | 224 +- ...16-4723-password-change.json-expected.json | 226 +- ...016-4724-password-reset.json-expected.json | 224 +- ...6-4725-account-disabled.json-expected.json | 224 +- ...16-4726-account-deleted.json-expected.json | 228 +- ...curity-windows2016-4727.json-expected.json | 129 +- ...curity-windows2016-4728.json-expected.json | 137 +- ...curity-windows2016-4729.json-expected.json | 137 +- ...curity-windows2016-4730.json-expected.json | 125 +- ...curity-windows2016-4731.json-expected.json | 129 +- ...curity-windows2016-4732.json-expected.json | 137 +- ...curity-windows2016-4733.json-expected.json | 137 +- ...curity-windows2016-4734.json-expected.json | 125 +- ...curity-windows2016-4735.json-expected.json | 129 +- ...curity-windows2016-4737.json-expected.json | 129 +- ...16-4738-account-changed.json-expected.json | 159 +- ...4740-account-locked-out.json-expected.json | 119 +- ...curity-windows2016-4754.json-expected.json | 129 +- ...curity-windows2016-4755.json-expected.json | 129 +- ...curity-windows2016-4756.json-expected.json | 137 +- ...curity-windows2016-4757.json-expected.json | 137 +- ...curity-windows2016-4758.json-expected.json | 125 +- ...curity-windows2016-4764.json-expected.json | 127 +- ...6-4767-account-unlocked.json-expected.json | 119 +- ...16-4781-account-renamed.json-expected.json | 236 +- ...curity-windows2016-4798.json-expected.json | 123 +- ...curity-windows2016-4799.json-expected.json | 129 +- ...rity-windows2016-logoff.json-expected.json | 214 +- ...19-4688-process-created.json-expected.json | 137 +- ...019-4689-process-exited.json-expected.json | 325 +- ...smon-operational-events.json-expected.json | 18905 ++++++++-------- .../ingest_pipeline/powershell.yml | 3 - .../powershell_operational.yml | 3 - .../ingest_pipeline/security.yml | 3 - .../ingest_pipeline/sysmon_operational.yml | 3 - 83 files changed, 16044 insertions(+), 16367 deletions(-) diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json index c7eb3a05c92..b2c5deb1628 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json @@ -2,126 +2,83 @@ "expected": [ { "@timestamp": "2020-05-13T09:04:04.755Z", - "winlog": { - "computer_name": "vagrant", - "record_id": "790", - "process": { - "pid": 4204, - "thread": { - "id": 1476 - } - }, - "event_id": "4105", - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", - "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, - "user": { - "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623", - "file": { - "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:16:15.030902415Z", + "category": "process", "code": "4105", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "start" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" }, "tags": [ "forwarded" - ] - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", - "title": "ServerRemoteHost", - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3885", + "event_id": "4105", "process": { - "pid": 3984, + "pid": 4204, "thread": { - "id": 3616 + "id": 1476 } }, - "event_id": "4103", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "790", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - "log": { - "level": "information" - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-15T08:11:47.897Z", "destination": { "user": { - "name": "vagrant", - "domain": "VAGRANT" - } - }, - "source": { - "user": { - "name": "vagrant", - "domain": "VAGRANT" + "domain": "VAGRANT", + "name": "vagrant" } }, - "tags": [ - "forwarded" - ], - "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] + "event": { + "category": "process", + "code": "4103", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 34, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" }, "powershell": { - "pipeline_id": "1", - "process": { - "executable_version": "1.0.0.0" - }, - "id": "Microsoft.PowerShell", - "engine": { - "version": "5.1.17763.1007" - }, - "runspace_id": "0729459a-8646-4176-8b02-024421a9632e", "command": { - "name": "cmd.exe", - "path": "C:\\Windows\\system32\\cmd.exe", "invocation_details": [ { "related_command": "cmd.exe", @@ -134,139 +91,178 @@ "value": "\"Out-Null\"" }, { - "related_command": "Out-Null", "name": "\"InputObject\"", + "related_command": "Out-Null", "type": "ParameterBinding", "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" } ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", "type": "Application" - } + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" }, - "host": { - "name": "vagrant" + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" }, - "event": { - "sequence": 34, - "ingested": "2022-01-12T05:16:15.030904657Z", - "code": "4103", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "info" + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } }, + "tags": [ + "forwarded" + ], "user": { - "name": "vagrant", "domain": "VAGRANT", - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - { - "@timestamp": "2020-05-13T10:40:32.595Z", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "933", + "event_id": "4103", "process": { - "pid": 4776, + "pid": 3984, "thread": { - "id": 5092 + "id": 3616 } }, - "event_id": "4106", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "3885", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-13T10:40:32.595Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "4106", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "end" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "verbose" }, "powershell": { - "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332", "file": { "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T05:16:15.030905579Z", - "code": "4106", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "end" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" }, + "tags": [ + "forwarded" + ], "user": { "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-05-14T11:33:51.389Z", "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3580", + "event_id": "4106", "process": { - "pid": 4844, + "pid": 4776, "thread": { - "id": 4428 + "id": 5092 } }, - "event_id": "4104", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "933", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-14T11:33:51.389Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "sequence": 1, - "total": 1, - "file": { - "script_block_text": ".\\patata.ps1", - "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:16:15.030906349Z", + "category": "process", "code": "4104", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "info" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "script_block_text": ".\\patata.ps1" + }, + "sequence": 1, + "total": 1 }, "tags": [ "forwarded" - ] + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3580", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json index b532e648de2..b2c5deb1628 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json @@ -2,126 +2,83 @@ "expected": [ { "@timestamp": "2020-05-13T09:04:04.755Z", - "winlog": { - "computer_name": "vagrant", - "record_id": "790", - "process": { - "pid": 4204, - "thread": { - "id": 1476 - } - }, - "event_id": "4105", - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", - "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, - "user": { - "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623", - "file": { - "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:16:17.039425715Z", + "category": "process", "code": "4105", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "start" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" }, "tags": [ "forwarded" - ] - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", - "title": "ServerRemoteHost", - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3885", + "event_id": "4105", "process": { - "pid": 3984, + "pid": 4204, "thread": { - "id": 3616 + "id": 1476 } }, - "event_id": "4103", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "790", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - "log": { - "level": "information" - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-15T08:11:47.897Z", "destination": { "user": { - "name": "vagrant", - "domain": "VAGRANT" - } - }, - "source": { - "user": { - "name": "vagrant", - "domain": "VAGRANT" + "domain": "VAGRANT", + "name": "vagrant" } }, - "tags": [ - "forwarded" - ], - "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] + "event": { + "category": "process", + "code": "4103", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 34, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" }, "powershell": { - "pipeline_id": "1", - "process": { - "executable_version": "1.0.0.0" - }, - "id": "Microsoft.PowerShell", - "engine": { - "version": "5.1.17763.1007" - }, - "runspace_id": "0729459a-8646-4176-8b02-024421a9632e", "command": { - "name": "cmd.exe", - "path": "C:\\Windows\\system32\\cmd.exe", "invocation_details": [ { "related_command": "cmd.exe", @@ -134,139 +91,178 @@ "value": "\"Out-Null\"" }, { - "related_command": "Out-Null", "name": "\"InputObject\"", + "related_command": "Out-Null", "type": "ParameterBinding", "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" } ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", "type": "Application" - } + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" }, - "host": { - "name": "vagrant" + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" }, - "event": { - "sequence": 34, - "ingested": "2022-01-12T05:16:17.039428693Z", - "code": "4103", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "info" + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } }, + "tags": [ + "forwarded" + ], "user": { - "name": "vagrant", "domain": "VAGRANT", - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - { - "@timestamp": "2020-05-13T10:40:32.595Z", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "933", + "event_id": "4103", "process": { - "pid": 4776, + "pid": 3984, "thread": { - "id": 5092 + "id": 3616 } }, - "event_id": "4106", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "3885", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-13T10:40:32.595Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "4106", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "end" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "verbose" }, "powershell": { - "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332", "file": { "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T05:16:17.039429695Z", - "code": "4106", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "end" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" }, + "tags": [ + "forwarded" + ], "user": { "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-05-14T11:33:51.389Z", "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3580", + "event_id": "4106", "process": { - "pid": 4844, + "pid": 4776, "thread": { - "id": 4428 + "id": 5092 } }, - "event_id": "4104", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "933", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-14T11:33:51.389Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "sequence": 1, - "total": 1, - "file": { - "script_block_text": ".\\patata.ps1", - "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:16:17.039430473Z", + "category": "process", "code": "4104", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "info" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "script_block_text": ".\\patata.ps1" + }, + "sequence": 1, + "total": 1 }, "tags": [ "forwarded" - ] + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3580", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json index 8e8c6f12819..ba8907c944d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json @@ -1,60 +1,59 @@ { "expected": [ { + "@timestamp": "2019-11-07T10:37:04.226Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T10:37:04.226Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "record_id": "14257", - "process": { - "pid": 1144, - "thread": { - "id": 4532 - } - }, - "event_id": "1100", - "keywords": [ - "Audit Success" - ], - "level": "information", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "channel": "Security", - "time_created": "2019-11-07T10:37:04.226Z", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:16:18.700629099Z", - "code": "1100", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", "action": "logging-service-shutdown", "category": [ "process" ], + "code": "1100", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", "type": [ "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "time_created": "2019-11-07T10:37:04.226Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json index feaaf2a0289..af2f03a724d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json @@ -1,22 +1,54 @@ { "expected": [ { + "@timestamp": "2019-11-07T10:34:29.055Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T10:34:29.055Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "audit-log-cleared", + "category": [ + "iam" + ], + "code": "1102", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, "winlog": { + "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 1144, - "thread": { - "id": 1824 - } - }, + "event_id": "1102", "keywords": [ "Audit Success" ], @@ -24,58 +56,25 @@ "logon": { "id": "0x50e87" }, - "channel": "Security", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14224", + "time_created": "2019-11-07T10:34:29.055Z", "user_data": { - "SubjectUserName": "Administrator", "SubjectDomainName": "WLBEAT", "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", "xml_name": "LogFileCleared" - }, - "opcode": "Info", - "record_id": "14224", - "event_id": "1102", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "time_created": "2019-11-07T10:34:29.055Z", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "event": { - "ingested": "2022-01-12T05:16:18.932471733Z", - "code": "1102", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", - "action": "audit-log-cleared", - "category": [ - "iam" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json index 1ada71dc9f2..eb9a575b682 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json @@ -1,60 +1,59 @@ { "expected": [ { + "@timestamp": "2019-11-08T07:56:17.321Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-08T07:56:17.321Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "record_id": "19352", - "process": { - "pid": 1096, - "thread": { - "id": 1444 - } - }, - "event_id": "1104", - "keywords": [ - "Audit Success" - ], - "level": "error", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "channel": "Security", - "time_created": "2019-11-08T07:56:17.321Z", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "error", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:16:19.597216295Z", - "code": "1104", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", "action": "logging-full", "category": [ "iam" ], + "code": "1104", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", "type": [ "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" + }, + "level": "error" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1104", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "error", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1096, + "thread": { + "id": 1444 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "19352", + "time_created": "2019-11-08T07:56:17.321Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json index b0f659d9607..9d3b8c773d1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-expected.json @@ -1,65 +1,64 @@ { "expected": [ { + "@timestamp": "2019-11-07T16:22:14.842Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "1b3ec690-31c3-4062-acdc-2afa56638178", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T16:22:14.842Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 1156, - "thread": { - "id": 1484 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "channel": "Security", - "user_data": { - "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", - "xml_name": "AutoBackup", - "Channel": "Security" - }, - "opcode": "Info", - "record_id": "18197", - "event_id": "1105", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "time_created": "2019-11-07T16:22:14.842Z", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:16:20.064677881Z", - "code": "1105", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", "action": "auditlog-archieved", "category": [ "iam" ], + "code": "1105", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", "type": [ "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1105", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "18197", + "time_created": "2019-11-07T16:22:14.842Z", + "user_data": { + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "Channel": "Security", + "xml_name": "AutoBackup" + } } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json index 2d914d6d5e1..ab042344396 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json @@ -1,97 +1,96 @@ { "expected": [ { + "@timestamp": "2020-07-28T13:22:18.799Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3d760cf7-94ed-4415-85cd-588f6adf9376", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "permissions-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4670", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 764, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 764 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-07-28T13:22:18.799Z", "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 4, - "thread": { - "id": 4604 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { - "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", - "OldSdDacl0": "Local system :Access Allowed ([Generic All])", + "HandleId": "0x56c", "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", - "SubjectLogonId": "0x3e7", + "NewSdDacl0": "Local system :Access Allowed ([Generic All])", + "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", + "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", "ObjectName": "-", + "ObjectServer": "Security", "ObjectType": "Token", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", - "ObjectServer": "Security", - "NewSdDacl0": "Local system :Access Allowed ([Generic All])", - "HandleId": "0x56c", + "OldSdDacl0": "Local system :Access Allowed ([Generic All])", + "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", "SubjectDomainName": "TEST", - "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", - "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", "SubjectUserSid": "S-1-5-18" }, - "opcode": "Info", - "record_id": "31932", "event_id": "4670", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 4604 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-28T13:22:18.799Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:16:20.367757072Z", - "code": "4670", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "permissions-changed", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "31932", + "time_created": "2020-07-28T13:22:18.799Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json index b719d24ee0a..8fb08637e26 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-expected.json @@ -1,23 +1,66 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:42:48.369Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "9e4d57e6-8caa-43f7-aa64-6b78dc45ae4d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:42:48.369Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-trust-added", + "category": [ + "configuration" + ], + "code": "4706", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 3056 - } + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "%%1796", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" }, - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "event_id": "4706", "keywords": [ "Audit Success" ], @@ -25,65 +68,21 @@ "logon": { "id": "0x6a868" }, - "channel": "Security", - "event_data": { - "SidFilteringEnabled": "%%1796", - "DomainSid": "S-1-0-0", - "SubjectUserName": "Administrator", - "DomainName": "192.168.230.153", - "SubjectDomainName": "TEST", - "TdoDirection": "3", - "SubjectLogonId": "0x6a868", - "TdoAttributes": "1", - "TdoType": "3", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, "opcode": "Info", - "record_id": "6017", - "event_id": "4706", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3056 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6017", "time_created": "2020-07-27T09:42:48.369Z", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:16:21.543640792Z", - "code": "4706", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "domain-trust-added", - "category": [ - "configuration" - ], - "type": [ - "creation" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "trustType": "TRUST_TYPE_MIT" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json index 6269d516ade..d258bfedc83 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-expected.json @@ -1,81 +1,80 @@ { "expected": [ { + "@timestamp": "2020-07-28T06:18:04.600Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3d917dba-6707-4ee1-be70-ba855a9e5b1c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-28T06:18:04.600Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x6a868" - }, - "channel": "Security", - "event_data": { - "DomainSid": "S-1-0-0", - "SubjectUserName": "Administrator", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x6a868", - "DomainName": "192.168.230.153", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, - "opcode": "Info", - "record_id": "13679", - "event_id": "4707", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-28T06:18:04.600Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T05:16:21.884763576Z", - "code": "4707", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "domain-trust-removed", "category": [ "configuration" ], + "code": "4707", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4707", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13679", + "time_created": "2020-07-28T06:18:04.600Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json index 539c144622b..7f197a8b7cc 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-expected.json @@ -1,81 +1,80 @@ { "expected": [ { + "@timestamp": "2020-07-28T10:15:43.495Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "00d05603-1d0f-476c-99f7-059a70f43625", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-28T10:15:43.495Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "21265", - "event_id": "4713", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "time_created": "2020-07-28T10:15:43.495Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T05:16:22.712097993Z", - "code": "4713", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "kerberos-policy-changed", "category": [ "configuration" ], + "code": "4713", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "TEST", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4713", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "21265", + "time_created": "2020-07-28T10:15:43.495Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json index a247e38971d..58b0730cfa7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-expected.json @@ -1,23 +1,66 @@ { "expected": [ { + "@timestamp": "2020-07-28T08:17:00.470Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "73327973-22b1-49d2-ba3c-f467e39c81a0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-28T08:17:00.470Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "trusted-domain-information-changed", + "category": [ + "configuration" + ], + "code": "4716", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 3776 - } + "event_data": { + "DomainName": "-", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" }, - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "event_id": "4716", "keywords": [ "Audit Success" ], @@ -25,65 +68,21 @@ "logon": { "id": "0x6a868" }, - "channel": "Security", - "event_data": { - "SidFilteringEnabled": "-", - "DomainSid": "S-1-0-0", - "SubjectUserName": "Administrator", - "DomainName": "-", - "SubjectDomainName": "TEST", - "TdoDirection": "3", - "SubjectLogonId": "0x6a868", - "TdoAttributes": "1", - "TdoType": "3", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, "opcode": "Info", - "record_id": "14929", - "event_id": "4716", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3776 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "14929", "time_created": "2020-07-28T08:17:00.470Z", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:16:23.022353581Z", - "code": "4716", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "trusted-domain-information-changed", - "category": [ - "configuration" - ], - "type": [ - "change" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "trustType": "TRUST_TYPE_MIT" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json index bc114bc054d..02be43b6a4a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-expected.json @@ -1,84 +1,83 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:30:41.903Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "1271c200-5f2f-42c7-bc2f-abbdc1211f37", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:30:41.903Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "TargetSid": "S-1-5-9", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "WORKGROUP", - "AccessGranted": "SeNetworkLogonRight", - "SubjectLogonId": "0x3e7", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "1571", - "event_id": "4717", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "time_created": "2020-07-27T09:30:41.903Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, "event": { - "ingested": "2022-01-12T05:16:23.658042468Z", - "code": "4717", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "system-security-access-granted", "category": [ "iam", "configuration" ], + "code": "4717", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessGranted": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-9" + }, + "event_id": "4717", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1571", + "time_created": "2020-07-27T09:30:41.903Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json index cf9672db2f0..b35c42e9390 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-expected.json @@ -1,84 +1,83 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:30:41.877Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "2ab86036-bb3b-4131-a797-34f5dca7b048", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:30:41.877Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "AccessRemoved": "SeNetworkLogonRight", - "TargetSid": "S-1-5-32-545", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "1565", - "event_id": "4718", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "time_created": "2020-07-27T09:30:41.877Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, "event": { - "ingested": "2022-01-12T05:16:24.157740310Z", - "code": "4718", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "system-security-access-removed", "category": [ "iam", "configuration" ], + "code": "4718", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessRemoved": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-32-545" + }, + "event_id": "4718", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1565", + "time_created": "2020-07-27T09:30:41.877Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json index 088844a96f6..51c28011e68 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2020-08-18T13:45:57.480Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "615d6dcc-ad38-494d-a4d6-bc35a1bcb7fe", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-18T13:45:57.480Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 780, - "thread": { - "id": 2764 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x44d7d" - }, - "channel": "Security", - "event_data": { - "CategoryId": "%%8274", - "SubjectUserName": "Administrator", - "Category": "Object Access", - "AuditPolicyChanges": "%%8448", - "SubcategoryId": "%%12804", - "SubCategory": "Other Object Access Events", - "SubjectDomainName": "TEST", - "AuditPolicyChangesDescription": [ - "Success removed" - ], - "SubjectLogonId": "0x44d7d", - "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, - "opcode": "Info", - "record_id": "123879", - "event_id": "4719", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", - "time_created": "2020-08-18T13:45:57.480Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T05:16:24.553365797Z", - "code": "4719", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-audit-config", "category": [ "iam", "configuration" ], + "code": "4719", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditPolicyChanges": "%%8448", + "AuditPolicyChangesDescription": [ + "Success removed" + ], + "Category": "Object Access", + "CategoryId": "%%8274", + "SubCategory": "Other Object Access Events", + "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12804", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x44d7d", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x44d7d" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 2764 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123879", + "time_created": "2020-08-18T13:45:57.480Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json index 89be14586eb..c23e65ecc39 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-expected.json @@ -1,92 +1,91 @@ { "expected": [ { + "@timestamp": "2019-11-07T15:22:57.655Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "a5d5ef8c-c4b4-402a-9d5d-a3643947e76a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T15:22:57.655Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 2944 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "CategoryId": "%%8273", - "SubjectUserName": "WIN-41OB2LO92CR$", - "Category": "Logon/Logoff", - "AuditPolicyChanges": "%%8449, %%8451", - "SubcategoryId": "%%12552", - "SubCategory": "Network Policy Server", - "SubjectDomainName": "WLBEAT", - "AuditPolicyChangesDescription": [ - "Success Added", - "Failure Added" - ], - "SubjectLogonId": "0x3e7", - "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "17154", - "event_id": "4719", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", - "time_created": "2019-11-07T15:22:57.655Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:16:25.252869848Z", - "code": "4719", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-audit-config", "category": [ "iam", "configuration" ], + "code": "4719", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", "domain": "WLBEAT", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "AuditPolicyChanges": "%%8449, %%8451", + "AuditPolicyChangesDescription": [ + "Success Added", + "Failure Added" + ], + "Category": "Logon/Logoff", + "CategoryId": "%%8273", + "SubCategory": "Network Policy Server", + "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12552", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 2944 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "17154", + "time_created": "2019-11-07T15:22:57.655Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json index 34dab01edde..e661faa33fa 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-expected.json @@ -1,88 +1,87 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:34:50.157Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bd63c19a-cad0-4833-9b84-5ed4e7e27cc5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:34:50.157Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 812 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-policy-changed", + "category": [ + "configuration" ], - "level": "information", - "logon": { - "id": "0x3e7" + "code": "4739", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { + "DomainBehaviorVersion": "-", "DomainName": "TEST", - "SubjectLogonId": "0x3e7", - "PasswordHistoryLength": "-", + "DomainPolicyChanged": "Password Policy", "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "OemInformation": "-", "MachineAccountQuota": "-", "MixedDomainMode": "-", - "SubjectDomainName": "TEST", - "DomainBehaviorVersion": "-", - "DomainPolicyChanged": "Password Policy", + "OemInformation": "-", + "PasswordHistoryLength": "-", "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", "SubjectUserSid": "S-1-5-18" }, - "opcode": "Info", - "record_id": "3532", "event_id": "4739", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 812 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-27T09:34:50.157Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:16:42.216548813Z", - "code": "4739", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "domain-policy-changed", - "category": [ - "configuration" - ], - "type": [ - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "3532", + "time_created": "2020-07-27T09:34:50.157Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json index 0e94c22ab22..f2ad8d32396 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:25:21.578Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "851a38b2-b036-44b2-9c64-2ee2c4567d73", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:25:21.578Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "computerObject": { - "name": "TESTCOMPUTEROBJ$", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2902" - }, - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "TESTCOMPUTEROBJ$", - "TargetDomainName": "TEST", - "PrivilegeList": [ - "-" - ], - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3699966", - "event_id": "4743", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:25:21.578Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:16:54.018008333Z", - "code": "4743", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-computer-account", "category": [ "iam" ], + "code": "4743", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "deletion", "admin" - ], - "outcome": "success" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] }, "user": { - "name": "at_adm", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": [ + "-" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$" + }, + "event_id": "4743", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699966", + "time_created": "2019-12-18T16:25:21.578Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json index 74df7d98791..633a3e5cadb 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:26:46.874Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "8110911f-6b3a-4c77-9d29-41319d5bfa08", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:26:46.874Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testdistlocal", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3699973", - "event_id": "4744", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:26:46.874Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:17:04.764816597Z", - "code": "4744", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-distribution-group-account", "category": [ "iam" ], + "code": "4744", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal" }, - "group": { - "name": "testdistlocal", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + }, + "event_id": "4744", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699973", + "time_created": "2019-12-18T16:26:46.874Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json index e07bab56b94..0bdc8827330 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:29:05.017Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "cd7f1761-3be1-4d56-bcc6-c0d761791c5c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:29:05.017Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testdistlocal1", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3700000", - "event_id": "4745", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:29:05.017Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:17:15.674723767Z", - "code": "4745", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-distribution-group-account", "category": [ "iam" ], + "code": "4745", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" }, - "group": { - "name": "testdistlocal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4745", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700000", + "time_created": "2019-12-18T16:29:05.017Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json index 29f0fdcb05a..8a6130d9131 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:31:01.611Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fc9e565f-bcec-4532-805f-3f5b942b5642", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:31:01.611Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3700022", - "event_id": "4746", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:31:01.611Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:17:28.666025185Z", - "code": "4746", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-distribution-group", "category": [ "iam" ], + "code": "4746", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "group": { - "name": "testdistlocal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testdistlocal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4746", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700022", + "time_created": "2019-12-18T16:31:01.611Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json index 372addb5a35..3dffff31130 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:35:16.681Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "0475a24c-6c58-4fe5-bcca-e508c2ba84a2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:35:16.681Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3700064", - "event_id": "4747", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:35:16.681Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:17:49.621225037Z", - "code": "4747", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-distribution-group", "category": [ "iam" ], + "code": "4747", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "group": { - "name": "testdistlocal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testdistlocal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4747", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700064", + "time_created": "2019-12-18T16:35:16.681Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json index d27b45a6c6b..dc0a383cf2a 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:01:45.982Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "92ff57cc-8a87-45ee-a407-525b380b8b06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:01:45.982Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707490", - "event_id": "4748", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:01:45.982Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:18:10.771544375Z", - "code": "4748", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-distribution-group-account", "category": [ "iam" ], + "code": "4748", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" }, - "group": { - "name": "testdistlocal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4748", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707490", + "time_created": "2019-12-19T08:01:45.982Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json index 58cb1aa9953..c33b185fe01 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:03:42.723Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "45230148-94bf-45cf-8eb1-339760e041d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:03:42.723Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testglobal", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707497", - "event_id": "4749", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:03:42.723Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:18:23.465141248Z", - "code": "4749", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-distribution-group-account", "category": [ "iam" ], + "code": "4749", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal" }, - "group": { - "name": "testglobal", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal" + }, + "event_id": "4749", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707497", + "time_created": "2019-12-19T08:03:42.723Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json index 002183a22b7..97d6c312747 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:10:57.473Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "764fe6a7-38ac-43f0-b125-6388fd0c33e6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:10:57.473Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testglobal1", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707550", - "event_id": "4750", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:10:57.473Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:18:39.374215274Z", - "code": "4750", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-distribution-group-account", "category": [ "iam" ], + "code": "4750", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" }, - "group": { - "name": "testglobal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4750", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707550", + "time_created": "2019-12-19T08:10:57.473Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json index 5b03f05e120..817664c9473 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:20:29.088Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "217ae042-3cca-46d1-bfa9-e65a2044307b", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:20:29.088Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707667", - "event_id": "4751", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:20:29.088Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:18:50.415643906Z", - "code": "4751", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-distribution-group", "category": [ "iam" ], + "code": "4751", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "group": { - "name": "testglobal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testglobal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4751", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707667", + "time_created": "2019-12-19T08:20:29.088Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json index 88004a766a3..f118ec17f91 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:21:23.644Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "60028370-f07b-4e9d-a025-de2a73da6d62", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:21:23.644Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707686", - "event_id": "4752", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:21:23.644Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:01.048869382Z", - "code": "4752", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-distribution-group", "category": [ "iam" ], + "code": "4752", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "group": { - "name": "testglobal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testglobal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4752", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707686", + "time_created": "2019-12-19T08:21:23.644Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json index 6afb498c0a7..7a07ac8e1e0 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:24:36.595Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "35c58767-a921-4503-a9ea-086fb7326910", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:24:36.595Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707709", - "event_id": "4753", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:24:36.595Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:02.395059046Z", - "code": "4753", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-distribution-group-account", "category": [ "iam" ], + "code": "4753", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" }, - "group": { - "name": "testglobal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4753", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707709", + "time_created": "2019-12-19T08:24:36.595Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json index 4080249f5b7..878534a9787 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:26:26.143Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "c67ac17a-6afd-4a2e-a1e9-5177024c937c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:26:26.143Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testuni", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707737", - "event_id": "4759", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:26:26.143Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:03.340454926Z", - "code": "4759", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-distribution-group-account", "category": [ "iam" ], + "code": "4759", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni" }, - "group": { - "name": "testuni", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni" + }, + "event_id": "4759", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707737", + "time_created": "2019-12-19T08:26:26.143Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json index fe663b8eaa7..7ee77583c73 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:28:21.030Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "9bad4bd9-375e-474f-b410-74962cfaccd0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:28:21.030Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testuni2", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707745", - "event_id": "4760", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:28:21.030Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:04.515699675Z", - "code": "4760", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-distribution-group-account", "category": [ "iam" ], + "code": "4760", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" }, - "group": { - "name": "testuni2", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4760", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707745", + "time_created": "2019-12-19T08:28:21.030Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json index 117ffbcbaf2..185ed34cafc 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:29:38.448Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "cae437da-c042-490f-95a6-c9e54a2d15db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:29:38.448Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707755", - "event_id": "4761", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:29:38.448Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:05.678972947Z", - "code": "4761", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-distribution-group", "category": [ "iam" ], + "code": "4761", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "group": { - "name": "testuni2", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" } }, - "group": { - "name": "testuni2", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4761", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707755", + "time_created": "2019-12-19T08:29:38.448Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json index dfcfe5e66a7..8527d599431 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:33:25.967Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "41db62b1-ba4b-4ca5-b44a-41d30f14b154", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:33:25.967Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707841", - "event_id": "4762", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:33:25.967Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:06.399342493Z", - "code": "4762", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-distribution-group", "category": [ "iam" ], + "code": "4762", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "group": { - "name": "testuni2", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" } }, - "group": { - "name": "testuni2", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4762", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707841", + "time_created": "2019-12-19T08:33:25.967Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json index f0e4bdd76b1..1c0b9338d41 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:34:23.162Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:34:23.162Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707847", - "event_id": "4763", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:34:23.162Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T05:19:07.318158028Z", - "code": "4763", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-distribution-group-account", "category": [ "iam" ], + "code": "4763", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" }, - "group": { - "name": "testuni2", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4763", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707847", + "time_created": "2019-12-19T08:34:23.162Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json index ead9a5be7a7..d62f0f64de6 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2020-08-17T12:49:09.494Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "c7c0a49b-a78b-4dd9-8928-44e2fc4322a9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-17T12:49:09.494Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 3052 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "ObjectType": "Global SACL", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "ObjectServer": "LSA", - "SubjectDomainName": "TEST", - "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", - "SubjectLogonId": "0x3e7", - "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", - "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", - "SubjectUserSid": "S-1-5-18", - "ObjectName": "File" - }, - "opcode": "Info", - "record_id": "114278", - "event_id": "4817", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", - "time_created": "2020-08-17T12:49:09.494Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$", - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T05:19:07.752563370Z", - "code": "4817", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "object-audit-changed", "category": [ "iam", "configuration" ], + "code": "4817", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$", + "Administrator" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "TEST", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "ObjectName": "File", + "ObjectServer": "LSA", + "ObjectType": "Global SACL", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4817", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3052 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "114278", + "time_created": "2020-08-17T12:49:09.494Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json index fbd859b1417..90ff128ffee 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-expected.json @@ -1,66 +1,65 @@ { "expected": [ { + "@timestamp": "2020-08-19T06:07:08.801Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fc71c55d-e66b-404f-933a-7bf02109440e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-19T06:07:08.801Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 784, - "thread": { - "id": 832 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "channel": "Security", - "event_data": { - "PuaCount": "0", - "PuaPolicyId": "0x9fd2" - }, - "opcode": "Info", - "record_id": "140273", - "event_id": "4902", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-19T06:07:08.801Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T05:19:08.704383879Z", - "code": "4902", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "user-audit-policy-created", "category": [ "iam", "configuration" ], + "code": "4902", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "PuaCount": "0", + "PuaPolicyId": "0x9fd2" + }, + "event_id": "4902", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 832 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "140273", + "time_created": "2020-08-19T06:07:08.801Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json index a383a6d5be9..0cff5cf1919 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-expected.json @@ -1,27 +1,69 @@ { "expected": [ { + "@timestamp": "2020-08-19T07:56:52.019Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "14ac41cb-35f1-42cd-abe2-03f4a8a6a47c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "security-event-source-added", + "category": [ + "iam", + "configuration" + ], + "code": "4904", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", "name": "inetinfo.exe", - "pid": 3608, - "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe" + "pid": 3608 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-08-19T07:56:52.019Z", "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 784, - "thread": { - "id": 824 - } + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x460422", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4904", "keywords": [ "Audit Success" ], @@ -29,61 +71,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "AuditSourceName": "IIS-METABASE", - "SubjectUserSid": "S-1-5-18", - "EventSourceId": "0x460422" - }, "opcode": "Info", - "record_id": "146939", - "event_id": "4904", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "time_created": "2020-08-19T07:56:52.019Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:19:08.929321388Z", - "code": "4904", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "security-event-source-added", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "146939", + "time_created": "2020-08-19T07:56:52.019Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json index c458d6f04d9..d82389c5756 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-expected.json @@ -1,27 +1,69 @@ { "expected": [ { + "@timestamp": "2020-08-19T07:56:51.579Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "5006f11d-fa2c-4238-810b-aa5e25ec5399", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "security-event-source-removed", + "category": [ + "iam", + "configuration" + ], + "code": "4905", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "-", "name": "-", - "pid": 4964, - "executable": "-" + "pid": 4964 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-08-19T07:56:51.579Z", "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 784, - "thread": { - "id": 824 - } + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x457b22", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4905", "keywords": [ "Audit Success" ], @@ -29,61 +71,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "AuditSourceName": "IIS-METABASE", - "SubjectUserSid": "S-1-5-18", - "EventSourceId": "0x457b22" - }, "opcode": "Info", - "record_id": "146938", - "event_id": "4905", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "time_created": "2020-08-19T07:56:51.579Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:19:09.798135637Z", - "code": "4905", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "security-event-source-removed", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "deletion" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "146938", + "time_created": "2020-08-19T07:56:51.579Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json index fb08b058776..799d71df1a3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-expected.json @@ -1,65 +1,64 @@ { "expected": [ { + "@timestamp": "2020-08-18T09:19:00.237Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "00431590-51a2-47a6-a2bf-f0ceaed9fa0f", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-18T09:19:00.237Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 780, - "thread": { - "id": 804 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "channel": "Security", - "event_data": { - "CrashOnAuditFailValue": "1" - }, - "opcode": "Info", - "record_id": "123786", - "event_id": "4906", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-18T09:19:00.237Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T05:19:10.154458073Z", - "code": "4906", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "crash-on-audit-changed", "category": [ "iam", "configuration" ], + "code": "4906", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "CrashOnAuditFailValue": "1" + }, + "event_id": "4906", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 804 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123786", + "time_created": "2020-08-18T09:19:00.237Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json index 589ba2bc4b7..5b929d394e2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-expected.json @@ -1,27 +1,72 @@ { "expected": [ { + "@timestamp": "2020-08-19T07:56:17.112Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d42932a5-9237-4c88-b833-60e3b66915d8", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "audit-setting-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4907", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", "name": "TiWorker.exe", - "pid": 4300, - "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe" + "pid": 4300 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-08-19T07:56:17.112Z", "winlog": { + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 4, - "thread": { - "id": 408 - } + "event_data": { + "HandleId": "0x93c", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", + "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", + "ObjectServer": "Security", + "ObjectType": "File", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4907", "keywords": [ "Audit Success" ], @@ -29,64 +74,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "ObjectType": "File", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "ObjectServer": "Security", - "HandleId": "0x93c", - "SubjectDomainName": "TEST", - "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "SubjectLogonId": "0x3e7", - "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", - "SubjectUserSid": "S-1-5-18", - "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1" - }, "opcode": "Info", - "record_id": "146933", - "event_id": "4907", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 408 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-19T07:56:17.112Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T05:19:10.406669356Z", - "code": "4907", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "audit-setting-changed", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "146933", + "time_created": "2020-08-19T07:56:17.112Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json index 1f393d91913..a50b4fc2ecc 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -1,27 +1,69 @@ { "expected": [ { + "@timestamp": "2020-04-06T06:39:04.549Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "f86f8f87-0401-4d4d-a9b3-d3a9a524dde2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "privileged-service-called", + "category": [ + "iam" + ], + "code": "4673", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", "name": "lsass.exe", - "pid": 496, - "executable": "C:\\Windows\\System32\\lsass.exe" + "pid": 496 + }, + "related": { + "user": [ + "DC_TEST2K12$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "DC_TEST2K12$" }, - "@timestamp": "2020-04-06T06:39:04.549Z", "winlog": { + "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 504 - } + "event_data": { + "ObjectServer": "NT Local Security Authority / Authentication Service", + "PrivilegeList": [ + "SeTcbPrivilege" + ], + "Service": "LsaRegisterLogonProcess()", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "DC_TEST2K12$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4673", "keywords": [ "Audit Success" ], @@ -29,61 +71,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "DC_TEST2K12$", - "ObjectServer": "NT Local Security Authority / Authentication Service", - "Service": "LsaRegisterLogonProcess()", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "PrivilegeList": [ - "SeTcbPrivilege" - ], - "SubjectUserSid": "S-1-5-18" - }, "opcode": "Info", - "record_id": "5109160", - "event_id": "4673", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-06T06:39:04.549Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "DC_TEST2K12$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T05:19:11.428690578Z", - "code": "4673", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "privileged-service-called", - "category": [ - "iam" - ], - "type": [ - "admin" - ], - "outcome": "success" - }, - "user": { - "name": "DC_TEST2K12$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "5109160", + "time_created": "2020-04-06T06:39:04.549Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json index 02bfd298106..073bab47605 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2020-04-02T14:34:08.889Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "961c8568-c795-47e6-8d9f-661cdab1fac0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-02T14:34:08.889Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 792, - "thread": { - "id": 2492 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4c323" - }, - "channel": "Security", - "event_data": { - "ServiceAccount": "LocalSystem", - "SubjectUserName": "Administrator", - "ServiceStartType": "2", - "ServiceName": "winlogbeat", - "ServiceType": "0x10", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4c323", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true" - }, - "opcode": "Info", - "record_id": "90108", - "event_id": "4697", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", - "time_created": "2020-04-02T14:34:08.889Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" - } - }, - "service": { - "name": "winlogbeat", - "type": "Win32 Own Process" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:11.999016677Z", - "code": "4697", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "service-installed", "category": [ "iam", "configuration" ], + "code": "4697", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "service": { + "name": "winlogbeat", + "type": "Win32 Own Process" }, "user": { - "name": "Administrator", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "ServiceAccount": "LocalSystem", + "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", + "ServiceName": "winlogbeat", + "ServiceStartType": "2", + "ServiceType": "0x10", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4c323", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4697", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4c323" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 792, + "thread": { + "id": 2492 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "90108", + "time_created": "2020-04-02T14:34:08.889Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 5ddf1e55991..818c75f251c 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -1,98 +1,97 @@ { "expected": [ { + "@timestamp": "2020-04-01T08:45:44.171Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "2e71c92e-5c70-4ea4-aad7-d3a2174f2a6d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-authentication-ticket-requested", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "PreAuthType": "2", - "Status": "0x0", - "TicketEncryptionType": "0x12", - "ServiceName": "krbtgt", - "TicketOptionsDescription": [ - "Forwardable", - "Renewable-ok", - "Name-canonicalize", - "Renewable" - ], - "StatusDescription": "KDC_ERR_NONE", - "TicketOptions": "0x40810010", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TargetUserName": "at_adm", - "TargetDomainName": "TEST.SAAS", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96" - }, - "opcode": "Info", - "record_id": "5040235", - "event_id": "4768", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:44.171Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "code": "4768", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.xml" - } - }, - "source": { - "port": 0, - "ip": "::1" - }, - "@timestamp": "2020-04-01T08:45:44.171Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "at_adm" - ], "ip": [ "::1" + ], + "user": [ + "at_adm" ] }, "service": { "name": "krbtgt" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T05:19:12.631723738Z", - "code": "4768", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-authentication-ticket-requested", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" + "source": { + "ip": "::1", + "port": 0 }, "user": { - "name": "at_adm", - "domain": "TEST.SAAS" + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "2", + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetUserName": "at_adm", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Renewable-ok", + "Name-canonicalize", + "Renewable" + ] + }, + "event_id": "4768", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040235", + "time_created": "2020-04-01T08:45:44.171Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json index 919ef9bcd01..ac8d7d2ccc2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -1,97 +1,96 @@ { "expected": [ { + "@timestamp": "2020-04-01T08:45:44.171Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d417a772-3290-465f-97d4-7e1221f76934", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-service-ticket-requested", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "Status": "0x0", - "TicketEncryptionType": "0x12", - "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", - "ServiceName": "DC_TEST2K12$", - "TicketOptionsDescription": [ - "Forwardable", - "Name-canonicalize", - "Renewable" - ], - "StatusDescription": "KDC_ERR_NONE", - "TicketOptions": "0x40810000", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", - "TransmittedServices": "-", - "TargetUserName": "at_adm@TEST.SAAS", - "TargetDomainName": "TEST.SAAS", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96" - }, - "opcode": "Info", - "record_id": "5040236", - "event_id": "4769", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:44.171Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "code": "4769", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.xml" - } - }, - "source": { - "port": 0, - "ip": "::1" - }, - "@timestamp": "2020-04-01T08:45:44.171Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "at_adm" - ], "ip": [ "::1" + ], + "user": [ + "at_adm" ] }, "service": { "name": "DC_TEST2K12$" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T05:19:13.313531895Z", - "code": "4769", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-service-ticket-requested", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" + "source": { + "ip": "::1", + "port": 0 }, "user": { - "name": "at_adm", - "domain": "TEST.SAAS" + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "ServiceName": "DC_TEST2K12$", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "at_adm@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810000", + "TicketOptionsDescription": [ + "Forwardable", + "Name-canonicalize", + "Renewable" + ], + "TransmittedServices": "-" + }, + "event_id": "4769", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040236", + "time_created": "2020-04-01T08:45:44.171Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json index f9a5b28d1c9..9bf1289ffc2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -1,92 +1,91 @@ { "expected": [ { + "@timestamp": "2020-04-01T07:32:55.010Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "ecb4944b-a4a6-4a12-be3c-2aa7175c6f7c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 4468 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-service-ticket-renewed", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "TicketEncryptionType": "0x12", - "ServiceName": "krbtgt", - "TicketOptionsDescription": [ - "Name-canonicalize", - "Renew" - ], - "TicketOptions": "0x10002", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TargetUserName": "DC_TEST2K12$@TEST.SAAS", - "TargetDomainName": "TEST.SAAS", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96" - }, - "opcode": "Info", - "record_id": "5039598", - "event_id": "4770", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T07:32:55.010Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "code": "4770", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.xml" - } - }, - "source": { - "port": 0, - "ip": "::1" - }, - "@timestamp": "2020-04-01T07:32:55.010Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "DC_TEST2K12$" - ], "ip": [ "::1" + ], + "user": [ + "DC_TEST2K12$" ] }, "service": { "name": "krbtgt" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T05:19:14.199050989Z", - "code": "4770", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-service-ticket-renewed", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" + "source": { + "ip": "::1", + "port": 0 }, "user": { - "name": "DC_TEST2K12$", - "domain": "TEST.SAAS" + "domain": "TEST.SAAS", + "name": "DC_TEST2K12$" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "DC_TEST2K12$@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x10002", + "TicketOptionsDescription": [ + "Name-canonicalize", + "Renew" + ] + }, + "event_id": "4770", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 4468 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5039598", + "time_created": "2020-04-01T07:32:55.010Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index 70516597b25..52cf42cab41 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -1,93 +1,92 @@ { "expected": [ { + "@timestamp": "2020-03-31T07:50:27.168Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "ac571f8c-8d98-4d24-8463-f0e5d0a13bdd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 4552 - } - }, - "keywords": [ - "Audit Failure" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-preauth-failed", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "PreAuthType": "0", - "Status": "0x12", - "ServiceName": "krbtgt/test.saas", - "TicketOptionsDescription": [ - "Forwardable", - "Renewable-ok", - "Name-canonicalize", - "Renewable" - ], - "StatusDescription": "KDC_ERR_CLIENT_REVOKED", - "TicketOptions": "0x40810010", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", - "TargetUserName": "MPUIG" - }, - "opcode": "Info", - "record_id": "5027836", - "event_id": "4771", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-03-31T07:50:27.168Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" + "code": "4771", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.xml" - } - }, - "source": { - "port": 53366, - "ip": "192.168.5.44" - }, - "@timestamp": "2020-03-31T07:50:27.168Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "MPUIG" - ], "ip": [ "192.168.5.44" + ], + "user": [ + "MPUIG" ] }, "service": { "name": "krbtgt/test.saas" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T05:19:14.929349183Z", - "code": "4771", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-preauth-failed", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "failure" + "source": { + "ip": "192.168.5.44", + "port": 53366 }, "user": { "name": "MPUIG" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "0", + "ServiceName": "krbtgt/test.saas", + "Status": "0x12", + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "TargetUserName": "MPUIG", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Renewable-ok", + "Name-canonicalize", + "Renewable" + ] + }, + "event_id": "4771", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5027836", + "time_created": "2020-03-31T07:50:27.168Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json index 379e719cde1..c2482777bc7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -1,22 +1,57 @@ { "expected": [ { + "@timestamp": "2020-04-01T08:45:42.187Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "e3bf3bc5-3815-4ca8-ad10-d40daaa047fc", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-01T08:45:42.187Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-validated", + "category": [ + "authentication" + ], + "code": "4776", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "name": "at_adm" + }, "winlog": { + "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 1864 - } + "event_data": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "Status": "0x0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777" }, + "event_id": "4776", "keywords": [ "Audit Success" ], @@ -26,54 +61,18 @@ "status": "Status OK." } }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "Workstation": "EQP01777", - "TargetUserName": "at_adm", - "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" - }, "opcode": "Info", - "record_id": "5040222", - "event_id": "4776", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:42.187Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T05:19:15.381355247Z", - "code": "4776", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "credential-validated", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" - }, - "user": { - "name": "at_adm" + "record_id": "5040222", + "time_created": "2020-04-01T08:45:42.187Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json index 3f1e1bb339b..771655c5811 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -1,88 +1,87 @@ { "expected": [ { + "@timestamp": "2020-04-05T16:33:32.388Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "f305e9f9-96b1-4f18-a864-144e6a3fc46d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-05T16:33:32.388Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 4184 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x76fea87" - }, - "channel": "Security", - "event_data": { - "ClientName": "EQP01777", - "ClientAddress": "10.100.150.9", - "AccountDomain": "TEST", - "LogonID": "0x76fea87", - "SessionName": "RDP-Tcp#127", - "AccountName": "at_adm" - }, - "opcode": "Info", - "record_id": "5101675", - "event_id": "4778", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-05T16:33:32.388Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ], - "ip": [ - "10.100.150.9" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "source": { - "ip": "10.100.150.9", - "domain": "EQP01777" - }, "event": { - "ingested": "2022-01-12T05:19:15.988963760Z", - "code": "4778", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "session-reconnected", "category": [ "authentication", "session" ], + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "10.100.150.9" ], - "outcome": "success" + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.9" }, "user": { - "name": "at_adm", - "domain": "TEST" + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.9", + "ClientName": "EQP01777", + "LogonID": "0x76fea87", + "SessionName": "RDP-Tcp#127" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x76fea87" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 4184 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5101675", + "time_created": "2020-04-05T16:33:32.388Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json index 6222d0365cd..bc3cf06301b 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -1,88 +1,87 @@ { "expected": [ { + "@timestamp": "2020-04-03T10:18:01.882Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d9d93a3d-3242-4f55-a4de-4ded8ae26301", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-03T10:18:01.882Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 3852 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x60d1ccb" - }, - "channel": "Security", - "event_data": { - "ClientName": "EQP01777", - "ClientAddress": "10.100.150.17", - "AccountDomain": "TEST", - "LogonID": "0x60d1ccb", - "SessionName": "RDP-Tcp#116", - "AccountName": "at_adm" - }, - "opcode": "Info", - "record_id": "5069070", - "event_id": "4779", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-03T10:18:01.882Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ], - "ip": [ - "10.100.150.17" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "source": { - "ip": "10.100.150.17", - "domain": "EQP01777" - }, "event": { - "ingested": "2022-01-12T05:19:16.436236473Z", - "code": "4779", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "session-disconnected", "category": [ "authentication", "session" ], + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "10.100.150.17" ], - "outcome": "success" + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.17" }, "user": { - "name": "at_adm", - "domain": "TEST" + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.17", + "ClientName": "EQP01777", + "LogonID": "0x60d1ccb", + "SessionName": "RDP-Tcp#116" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x60d1ccb" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 3852 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5069070", + "time_created": "2020-04-03T10:18:01.882Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json index fa1cda25ca5..05349a05d26 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -1,1786 +1,1768 @@ { "expected": [ { + "@timestamp": "2019-03-29T21:10:39.786Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:10:39.786Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 536 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1535", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 536 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:39.786Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1535", + "time_created": "2019-03-29T21:10:39.786Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.255Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318727385Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:10:40.255Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1538", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.255Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1538", + "time_created": "2019-03-29T21:10:40.255Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.380Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318730007Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "pid": 448, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "pid": 448 }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" + "related": { + "ip": [ + "89.160.20.156" ], - "level": "information", - "logon": { - "type": "Interactive", - "id": "0x3e7" - }, + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "89.160.20.156", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", "LogonType": "2", + "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", - "KeyLength": "0", - "LmPackageName": "-", - "TargetLogonId": "0x1008e", "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", - "LogonProcessName": "User32 ", - "TargetDomainName": "VAGRANT-2012-R2", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x1008e", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1542", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.380Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "port": 0, - "ip": "89.160.20.156", - "domain": "VAGRANT-2012-R2" + "record_id": "1542", + "time_created": "2019-03-29T21:10:40.380Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.505Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "@timestamp": "2019-03-29T21:10:40.380Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ], - "ip": [ - "89.160.20.156" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318730454Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:10:40.505Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1545", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.505Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1545", + "time_created": "2019-03-29T21:10:40.505Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.630Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318730884Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "ANONYMOUS LOGON" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON" }, - "@timestamp": "2019-03-29T21:10:40.630Z", "winlog": { + "channel": "Security", "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, - "channel": "Security", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "NTLM V1", - "TargetLogonId": "0x129f1", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "ANONYMOUS LOGON", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-7" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x129f1", + "TargetUserName": "ANONYMOUS LOGON", + "TargetUserSid": "S-1-5-7", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1547", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.630Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1547", + "time_created": "2019-03-29T21:10:40.630Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:53.661Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "ANONYMOUS LOGON" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318731315Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "ANONYMOUS LOGON", - "domain": "NT AUTHORITY", - "id": "S-1-5-7" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, - "@timestamp": "2019-03-29T21:10:53.661Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x28d31", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x28d31", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1550", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:53.661Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1550", + "time_created": "2019-03-29T21:10:53.661Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:54.661Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318731695Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, - "@timestamp": "2019-03-29T21:10:54.661Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x29f0f", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x29f0f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1553", "event_id": "4624", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:54.661Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { + "keywords": [ + "Audit Success" + ], "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1553", + "time_created": "2019-03-29T21:10:54.661Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:55.458Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "host": { - "name": "vagrant-2012-r2" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T05:19:17.318732157Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, - "@timestamp": "2019-03-29T21:10:55.458Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x2a362", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x2a362", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1556", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:55.458Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1556", + "time_created": "2019-03-29T21:10:55.458Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.302Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318732667Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "domain": "89.160.20.156" + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x324f8", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x324f8", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1561", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:17.302Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "domain": "89.160.20.156" + "record_id": "1561", + "time_created": "2019-03-29T21:13:17.302Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.521Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "@timestamp": "2019-03-29T21:13:17.302Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318733045Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "related": { + "user": [ + "DWM-2", + "VAGRANT-2012-R2$" + ] }, - "process": { - "name": "winlogon.exe", - "pid": 2812, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-2", + "name": "DWM-2" }, - "@timestamp": "2019-03-29T21:13:17.521Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Interactive", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "2", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x33444", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "DWM-2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "Window Manager", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-90-2" + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x33444", + "TargetUserName": "DWM-2", + "TargetUserSid": "S-1-5-90-2", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1563", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:17.521Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1563", + "time_created": "2019-03-29T21:13:17.521Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.614Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "DWM-2", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318733435Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "DWM-2", - "domain": "Window Manager", - "id": "S-1-5-90-2" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "pid": 2812, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "pid": 2812 }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" + "related": { + "ip": [ + "10.0.2.2" ], - "level": "information", - "logon": { - "type": "RemoteInteractive", - "id": "0x3e7" - }, + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "10.0.2.2", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", "LogonType": "10", + "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", - "KeyLength": "0", - "LmPackageName": "-", - "TargetLogonId": "0x3444f", "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", - "LogonProcessName": "User32 ", - "TargetDomainName": "VAGRANT-2012-R2", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x3444f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1567", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "RemoteInteractive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:17.614Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "port": 0, - "ip": "10.0.2.2", - "domain": "VAGRANT-2012-R2" + "record_id": "1567", + "time_created": "2019-03-29T21:13:17.614Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:18.786Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "@timestamp": "2019-03-29T21:13:17.614Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ], - "ip": [ - "10.0.2.2" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318733854Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "pid": 2188, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "pid": 2188 + }, + "related": { + "user": [ + "DWM-3", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-3", + "name": "DWM-3" }, - "@timestamp": "2019-03-29T21:13:18.786Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Interactive", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "2", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x357fd", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "DWM-3", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "Window Manager", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-90-3" + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x357fd", + "TargetUserName": "DWM-3", + "TargetUserSid": "S-1-5-90-3", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1570", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:18.786Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1570", + "time_created": "2019-03-29T21:13:18.786Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.740Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "DWM-3", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318734383Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "DWM-3", - "domain": "Window Manager", - "id": "S-1-5-90-3" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1574", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:20:48.740Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1574", + "time_created": "2019-03-29T21:20:48.740Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.740Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318734779Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" }, "opcode": "Info", - "version": 1, - "record_id": "1576", - "event_id": "4624", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:20:48.740Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1576", + "time_created": "2019-03-29T21:20:48.740Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:50.584Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318735142Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:20:50.584Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 504 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1578", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 504 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:20:50.584Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1578", + "time_created": "2019-03-29T21:20:50.584Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:23:42.520Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318735500Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:23:42.520Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1581", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:23:42.520Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } + "record_id": "1581", + "time_created": "2019-03-29T21:23:42.520Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:26:24.176Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "host": { - "name": "vagrant-2012-r2" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T05:19:17.318735861Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:26:24.176Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 344 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1583", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 344 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:26:24.176Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1583", + "time_created": "2019-03-29T21:26:24.176Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:45:35.177Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:17.318736331Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "logged-in", + "action": "logon-failed", "category": [ "authentication" ], + "code": "4625", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "pid": 836, - "executable": "C:\\Windows\\System32\\svchost.exe" + "pid": 836 + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "bosch" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-0-0", + "name": "bosch" }, "winlog": { + "channel": "Security", "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 2756 - } + "event_data": { + "AuthenticationPackageName": "Negotiate", + "FailureReason": "%%2313", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "seclogo", + "LogonType": "2", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "VAGRANT-2012-R2", + "SubjectLogonId": "0x1008e", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetUserName": "bosch", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-" }, + "event_id": "4625", "keywords": [ "Audit Failure" ], "level": "information", "logon": { - "type": "Interactive", "failure": { - "sub_status": "User logon with misspelled or bad user account", "reason": "Unknown user name or bad password.", - "status": "This is either due to a bad username or authentication information" + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" }, - "id": "0x1008e" - }, - "channel": "Security", - "event_data": { - "Status": "0xc000006d", - "LogonType": "2", - "SubjectLogonId": "0x1008e", - "TransmittedServices": "-", - "KeyLength": "0", - "LmPackageName": "-", - "SubjectUserName": "vagrant", - "FailureReason": "%%2313", - "SubjectDomainName": "VAGRANT-2012-R2", - "TargetUserName": "bosch", - "SubStatus": "0xc0000064", - "LogonProcessName": "seclogo", - "TargetDomainName": "VAGRANT-2012-R2", - "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-0-0" + "id": "0x1008e", + "type": "Interactive" }, "opcode": "Info", - "record_id": "1585", - "event_id": "4625", + "outcome": "failure", + "process": { + "pid": 516, + "thread": { + "id": 2756 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:45:35.177Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "port": 0, - "ip": "::1", - "domain": "VAGRANT-2012-R2" - }, - "@timestamp": "2019-03-29T21:45:35.177Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "bosch" - ], - "ip": [ - "::1" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "event": { - "ingested": "2022-01-12T05:19:17.318736690Z", - "code": "4625", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "logon-failed", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "failure" - }, - "user": { - "name": "bosch", - "domain": "VAGRANT-2012-R2", - "id": "S-1-0-0" + "record_id": "1585", + "time_created": "2019-03-29T21:45:35.177Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index 0effaa6d829..ff13c8596f3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -1,104 +1,65 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:28:46.163Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:28:46.163Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2815", - "event_id": "4722", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:28:46.163Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:29.009789227Z", - "code": "4722", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "enabled-user-account", "category": [ "iam" ], + "code": "4722", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, - "@timestamp": "2019-09-06T13:29:08.573Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" }, + "event_id": "4722", "keywords": [ "Audit Success" ], @@ -106,62 +67,99 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest0609", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2826", - "event_id": "4722", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:29:08.573Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2815", + "time_created": "2019-09-06T13:28:46.163Z" + } + }, + { + "@timestamp": "2019-09-06T13:29:08.573Z", + "agent": { + "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:29.009791859Z", - "code": "4722", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "enabled-user-account", "category": [ "iam" ], + "code": "4722", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2826", + "time_created": "2019-09-06T13:29:08.573Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index 7d97dce0d84..90b3155563e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -1,167 +1,165 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:32:13.855Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:32:13.855Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Failure" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "Administrator", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2838", - "event_id": "4723", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:32:13.855Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:30.186175872Z", - "code": "4723", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-password", "category": [ "iam" ], + "code": "4723", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "failure" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, - "@timestamp": "2019-09-06T13:32:23.885Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" }, + "event_id": "4723", "keywords": [ - "Audit Success" + "Audit Failure" ], "level": "information", "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "Administrator", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2839", - "event_id": "4723", + "outcome": "failure", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:32:23.885Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2838", + "time_created": "2019-09-06T13:32:13.855Z" + } + }, + { + "@timestamp": "2019-09-06T13:32:23.885Z", + "agent": { + "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:30.186178090Z", - "code": "4723", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-password", "category": [ "iam" ], + "code": "4723", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2839", + "time_created": "2019-09-06T13:32:23.885Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index ce29b554291..fa02b78015c 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -1,104 +1,65 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:24:39.339Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:24:39.339Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 816 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2762", - "event_id": "4724", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:24:39.339Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:30.934340941Z", - "code": "4724", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "reset-password", "category": [ "iam" ], + "code": "4724", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, - "@timestamp": "2019-09-06T13:25:21.900Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" }, + "event_id": "4724", "keywords": [ "Audit Success" ], @@ -106,62 +67,99 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest0609", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2787", - "event_id": "4724", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 816 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:25:21.900Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2762", + "time_created": "2019-09-06T13:24:39.339Z" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.900Z", + "agent": { + "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:30.934343538Z", - "code": "4724", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "reset-password", "category": [ "iam" ], + "code": "4724", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4724", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2787", + "time_created": "2019-09-06T13:25:21.900Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index 36e582090b2..e31b6325ead 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -1,104 +1,65 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:28:40.001Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:28:40.001Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2810", - "event_id": "4725", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:28:40.001Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:32.296236985Z", - "code": "4725", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "disabled-user-account", "category": [ "iam" ], + "code": "4725", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, - "@timestamp": "2019-09-06T13:28:55.264Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" }, + "event_id": "4725", "keywords": [ "Audit Success" ], @@ -106,62 +67,99 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest0609", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2820", - "event_id": "4725", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:28:55.264Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2810", + "time_created": "2019-09-06T13:28:40.001Z" + } + }, + { + "@timestamp": "2019-09-06T13:28:55.264Z", + "agent": { + "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:32.296239113Z", - "code": "4725", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "disabled-user-account", "category": [ "iam" ], + "code": "4725", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2820", + "time_created": "2019-09-06T13:28:55.264Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index 056f9cd5bd7..82a30b9c1d0 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -1,105 +1,66 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:35:25.515Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:35:25.515Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 1980 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest23", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2851", - "event_id": "4726", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:35:25.515Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest23" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:33.381070206Z", - "code": "4726", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-user-account", "category": [ "iam" ], + "code": "4726", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest23" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, - "@timestamp": "2019-09-06T13:35:29.690Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", + "TargetUserName": "audittest23" }, + "event_id": "4726", "keywords": [ "Audit Success" ], @@ -107,63 +68,100 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2857", - "event_id": "4726", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:35:29.690Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2851", + "time_created": "2019-09-06T13:35:25.515Z" + } + }, + { + "@timestamp": "2019-09-06T13:35:29.690Z", + "agent": { + "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:33.381072401Z", - "code": "4726", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-user-account", "category": [ "iam" ], + "code": "4726", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4726", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2857", + "time_created": "2019-09-06T13:35:29.690Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json index e323b8de05b..2f4c95483b3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:26:12.495Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "a6c7bf33-4c58-473a-b21e-ff14cfa0876c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:26:12.495Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x27438" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "DnsUpdateProxy", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x27438", - "TargetUserName": "DnsUpdateProxy", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "4105", - "event_id": "4727", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:26:12.495Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:34.467518Z", - "code": "4727", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-group-account", "category": [ "iam" ], + "code": "4727", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "WIN-41OB2LO92CR$", + "group": { "domain": "WLBEAT", - "id": "S-1-5-18" + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", + "name": "DnsUpdateProxy" }, - "group": { - "name": "DnsUpdateProxy", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1110" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "DnsUpdateProxy", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x27438", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", + "TargetUserName": "DnsUpdateProxy" + }, + "event_id": "4727", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x27438" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4105", + "time_created": "2019-10-22T11:26:12.495Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index ca6a7270c2f..802f4f5d850 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:26.861Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "20391a81-820a-4b74-9022-d7e336c7a6a5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:26.861Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4657", - "event_id": "4728", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:26.861Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:34.937487344Z", - "code": "4728", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-group", "category": [ "iam" ], + "code": "4728", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "group": { - "name": "test_group2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2" + }, + "event_id": "4728", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4657", + "time_created": "2019-10-22T11:33:26.861Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index afbd4c1efbb..7606da6b5e2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:45.543Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "7634b57b-f6ad-4530-9332-efe87a928e1e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:45.543Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4665", - "event_id": "4729", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:45.543Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:35.848607166Z", - "code": "4729", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-group", "category": [ "iam" ], + "code": "4729", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "group": { - "name": "test_group2v2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group2v2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4729", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4665", + "time_created": "2019-10-22T11:33:45.543Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json index 07bcbfcd20f..108a37ed192 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:34:01.610Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "b88ce36d-4f81-470b-8142-61f8152521db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:34:01.610Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4670", - "event_id": "4730", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:01.610Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:36.719167607Z", - "code": "4730", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-group-account", "category": [ "iam" ], + "code": "4730", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" }, - "group": { - "name": "test_group2v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4730", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4670", + "time_created": "2019-10-22T11:34:01.610Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json index 50f73a257bb..25ee03f04de 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:29:49.358Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "e2d64d83-2a92-4e42-be65-f582b54806c0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:29:49.358Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "test_group1", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4569", - "event_id": "4731", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:29:49.358Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:37.258319437Z", - "code": "4731", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-group-account", "category": [ "iam" ], + "code": "4731", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" }, - "group": { - "name": "test_group1", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4731", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4569", + "time_created": "2019-10-22T11:29:49.358Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index cc435db3d3e..9402607e361 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:31:58.039Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "55e8e30a-98a5-48de-86a3-772d01e6cb34", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:31:58.039Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4625", - "event_id": "4732", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:31:58.039Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:38.158429304Z", - "code": "4732", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-group", "category": [ "iam" ], + "code": "4732", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "group": { - "name": "test_group1", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group1", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4732", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4625", + "time_created": "2019-10-22T11:31:58.039Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index e07c15e7ab8..141703f28b2 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:32:14.894Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "f4bfea9b-4505-4540-a5d6-ff3d901ddab0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:32:14.894Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4627", - "event_id": "4733", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:14.894Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:38.638958901Z", - "code": "4733", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-group", "category": [ "iam" ], + "code": "4733", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "group": { - "name": "test_group1", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group1", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4733", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4627", + "time_created": "2019-10-22T11:32:14.894Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json index fb7f3b9d462..f4b6a57e4c3 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:32:35.127Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "932fe4f8-6220-47bc-8713-250d259a8d06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:32:35.127Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1v1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4630", - "event_id": "4734", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:35.127Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:39.087477958Z", - "code": "4734", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-group-account", "category": [ "iam" ], + "code": "4734", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" }, - "group": { - "name": "test_group1v1", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4734", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4630", + "time_created": "2019-10-22T11:32:35.127Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json index 0610cdb7791..d0bb16cb44f 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:32:30.425Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "302d5f9e-c923-4bd9-8747-1fe456a97546", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:32:30.425Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "test_group1v1", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1v1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4628", - "event_id": "4735", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:30.425Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:39.883441933Z", - "code": "4735", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "modified-group-account", "category": [ "iam" ], + "code": "4735", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" }, - "group": { - "name": "test_group1v1", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1v1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4735", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4628", + "time_created": "2019-10-22T11:32:30.425Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json index f6599ef4e78..8ed0e2acbc0 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:57.271Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "751eaf5d-fe35-4c8f-9712-3ad2a1fbccc4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:57.271Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "-", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4668", - "event_id": "4737", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:57.271Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:40.337443959Z", - "code": "4737", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "modified-group-account", "category": [ "iam" ], + "code": "4737", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" }, - "group": { - "name": "test_group2v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4737", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4668", + "time_created": "2019-10-22T11:33:57.271Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index 82d0e94abb5..4b8d86d2430 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -1,111 +1,110 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:36:17.566Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "8233890e-f67f-456f-833c-9695ee1564d6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:36:17.566Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 1980 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" ], - "level": "information", - "logon": { - "id": "0x264b2" + "code": "4738", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml" }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", "event_data": { - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "elastictest1", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", "NewUACList": [ "LOCKOUT", "NORMAL_ACCOUNT" ], - "SidHistory": "-", - "LogonHours": "%%1797", - "ScriptPath": "%%1793", - "DisplayName": "elastictest1", - "HomePath": "%%1793", - "SubjectDomainName": "WIN-41OB2LO92CR", - "AllowedToDelegateTo": "-", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "UserWorkstations": "%%1793", - "SamAccountName": "elastictest1", - "HomeDirectory": "%%1793", - "OldUacValue": "0x210", - "UserParameters": "%%1793", "NewUacValue": "0x210", - "SubjectLogonId": "0x264b2", + "OldUacValue": "0x210", + "PasswordLastSet": "6/9/2019 10:30:28", "PrimaryGroupId": "513", - "AccountExpires": "%%1794", + "PrivilegeList": "-", "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", "UserAccountControl": [ "-" ], - "PasswordLastSet": "6/9/2019 10:30:28", + "UserParameters": "%%1793", "UserPrincipalName": "-", - "TargetUserName": "elastictest1", - "Dummy": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + "UserWorkstations": "%%1793" }, - "opcode": "Info", - "record_id": "2862", "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:36:17.566Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, - "event": { - "ingested": "2022-01-12T05:19:41.231495195Z", - "code": "4738", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "modified-user-account", - "category": [ - "iam" - ], - "type": [ - "user", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "record_id": "2862", + "time_created": "2019-09-06T13:36:17.566Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index 29986f38646..b8abfc7efd5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -1,85 +1,84 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:39:43.085Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "8caa1f31-d548-434d-ac5b-f3725137fe68", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:39:43.085Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "2883", - "event_id": "4740", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:39:43.085Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:41.988303800Z", - "code": "4740", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "locked-out-user-account", "category": [ "iam" ], + "code": "4740", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4740", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2883", + "time_created": "2019-09-06T13:39:43.085Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json index 2db2ff4db43..4ef6c222c1e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:34:33.783Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fea32ff4-794a-4eb4-bd70-9683cab0491a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:34:33.783Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "Test_group3", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4676", - "event_id": "4754", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:33.783Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:42.720308869Z", - "code": "4754", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-group-account", "category": [ "iam" ], + "code": "4754", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3" }, - "group": { - "name": "Test_group3", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "Test_group3", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3" + }, + "event_id": "4754", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4676", + "time_created": "2019-10-22T11:34:33.783Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json index 416c3c5bda4..21356aea0f4 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:35:09.070Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bf0291c9-a8c8-4380-8767-3edd8e19e7e0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:35:09.070Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "-", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4685", - "event_id": "4755", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:09.070Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:43.274308805Z", - "code": "4755", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "modified-group-account", "category": [ "iam" ], + "code": "4755", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" }, - "group": { - "name": "Test_group3v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4755", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4685", + "time_created": "2019-10-22T11:35:09.070Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index 605c4e7af6e..c870904e264 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:34:58.413Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bb4b02fe-1669-4fc2-9334-59658aa314bd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:34:58.413Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4684", - "event_id": "4756", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:58.413Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:44.057785219Z", - "code": "4756", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-group", "category": [ "iam" ], + "code": "4756", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "group": { - "name": "Test_group3v2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" } }, - "group": { - "name": "Test_group3v2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4756", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4684", + "time_created": "2019-10-22T11:34:58.413Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index 0222700438d..1b78a06cbc5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:35:09.070Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "108404d6-5e5a-4fc8-af1c-882b4a9e776a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:35:09.070Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4686", - "event_id": "4757", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:09.070Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:44.628543976Z", - "code": "4757", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-group", "category": [ "iam" ], + "code": "4757", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "group": { - "name": "Test_group3v2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" } }, - "group": { - "name": "Test_group3v2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4757", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4686", + "time_created": "2019-10-22T11:35:09.070Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json index 02f3a17079e..54e7ff49ae5 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:35:13.550Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "a8b7cf01-1874-48ac-9ba5-359576812e03", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:35:13.550Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4687", - "event_id": "4758", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:13.550Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:45.497532477Z", - "code": "4758", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-group-account", "category": [ "iam" ], + "code": "4758", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" }, - "group": { - "name": "Test_group3v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4758", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4687", + "time_created": "2019-10-22T11:35:13.550Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json index 13798d78e77..b9536acbb68 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -1,90 +1,89 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:57.271Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "5d24bfd7-c07c-4458-8a1d-8742d5cb6166", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:57.271Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4669", - "event_id": "4764", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:57.271Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T05:19:45.882905075Z", - "code": "4764", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "type-changed-group-account", "category": [ "iam" ], + "code": "4764", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" }, - "group": { - "name": "test_group2v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4764", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4669", + "time_created": "2019-10-22T11:33:57.271Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index 3cecac7093e..354c1774f5e 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -1,85 +1,84 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:40:52.314Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "7ab867f5-fdb6-44f7-8d6a-15aa3b0a5d7d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:40:52.314Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2892", - "event_id": "4767", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:40:52.314Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:46.584723694Z", - "code": "4767", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "unlocked-user-account", "category": [ "iam" ], + "code": "4767", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4767", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2892", + "time_created": "2019-09-06T13:40:52.314Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index 028da9e8b5d..221fd00f5f9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -1,107 +1,68 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:38:17.556Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:38:17.556Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "OldTargetUserName": "audittest0609", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetDomainName": "WIN-41OB2LO92CR", - "NewTargetUserName": "audittest06", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2873", - "event_id": "4781", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:38:17.556Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest06", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:47.094000995Z", - "code": "4781", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "renamed-user-account", "category": [ "iam" ], + "code": "4781", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest06", + "audittest0609" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" }, - "@timestamp": "2019-09-06T13:38:23.516Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 808 - } + "event_data": { + "NewTargetUserName": "audittest06", + "OldTargetUserName": "audittest0609", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" }, + "event_id": "4781", "keywords": [ "Audit Success" ], @@ -109,65 +70,102 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "OldTargetUserName": "audittest06", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetDomainName": "WIN-41OB2LO92CR", - "NewTargetUserName": "audittest0609", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2875", - "event_id": "4781", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:38:23.516Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2873", + "time_created": "2019-09-06T13:38:17.556Z" + } + }, + { + "@timestamp": "2019-09-06T13:38:23.516Z", + "agent": { + "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609", - "audittest06" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:47.094003081Z", - "code": "4781", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "renamed-user-account", "category": [ "iam" ], + "code": "4781", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609", + "audittest06" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest0609", + "OldTargetUserName": "audittest06", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": "4781", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2875", + "time_created": "2019-09-06T13:38:23.516Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index 9bfb0c90fa8..0572bf92092 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -1,87 +1,86 @@ { "expected": [ { + "@timestamp": "2019-10-08T10:20:34.053Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d7c725da-6710-4bcf-b920-15c37a8b1d86", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-08T10:20:34.053Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 1740 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "CallerProcessId": "0x3f0", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserName": "elastictest1", - "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "2996", - "event_id": "4798", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "time_created": "2019-10-08T10:20:34.053Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:48.424012427Z", - "code": "4798", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "group-membership-enumerated", "category": [ "iam" ], + "code": "4798", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "info" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x3f0", + "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1740 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2996", + "time_created": "2019-10-08T10:20:34.053Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json index 164e7c72351..d741c0b47f7 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-08T10:20:44.472Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3e299efc-a8d9-4a33-9acf-dbf6c4cd8ba4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-08T10:20:44.472Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "CallerProcessId": "0x494", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-32-544", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserName": "Administrators", - "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", - "TargetDomainName": "Builtin", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "3002", - "event_id": "4799", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "time_created": "2019-10-08T10:20:44.472Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:48.855694045Z", - "code": "4799", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "user-member-enumerated", "category": [ "iam" ], + "code": "4799", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "info" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "Builtin", + "id": "S-1-5-32-544", + "name": "Administrators" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" }, - "group": { - "name": "Administrators", - "domain": "Builtin", - "id": "S-1-5-32-544" + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x494", + "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-5-32-544", + "TargetUserName": "Administrators" + }, + "event_id": "4799", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3002", + "time_created": "2019-10-08T10:20:44.472Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json index df99a4acbe1..599cf204d37 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -1,159 +1,157 @@ { "expected": [ { + "@timestamp": "2019-05-17T11:06:58.210Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-05-17T11:06:58.210Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 776, - "thread": { - "id": 540 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x767a77" - }, - "channel": "Security", - "event_data": { - "TargetLogonId": "0x767a77", - "LogonType": "3", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000" - }, - "opcode": "Info", - "record_id": "485", - "event_id": "4634", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-05-17T11:06:58.210Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:49.202541623Z", - "code": "4634", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-out", "category": [ "authentication" ], + "code": "4634", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "audittest" + ] }, "user": { - "name": "audittest", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" }, - "@timestamp": "2019-05-19T16:15:38.542Z", "winlog": { + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x767a77", + "TargetUserName": "audittest", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000" }, + "event_id": "4634", "keywords": [ "Audit Success" ], "level": "information", "logon": { - "type": "Network", - "id": "0x104a4a6" - }, - "channel": "Security", - "event_data": { - "TargetLogonId": "0x104a4a6", - "LogonType": "3", - "TargetUserName": "Administrator", - "TargetDomainName": "WIN-41OB2LO92CR", - "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "0x767a77", + "type": "Network" }, "opcode": "Info", - "record_id": "747", - "event_id": "4634", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 540 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-05-19T16:15:38.542Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "485", + "time_created": "2019-05-17T11:06:58.210Z" + } + }, + { + "@timestamp": "2019-05-19T16:15:38.542Z", + "agent": { + "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T05:19:49.202543790Z", - "code": "4634", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-out", "category": [ "authentication" ], + "code": "4634", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x104a4a6", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x104a4a6", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "747", + "time_created": "2019-05-19T16:15:38.542Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index 242a86f3ce8..fd643b3d8d1 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -1,37 +1,82 @@ { "expected": [ { + "@timestamp": "2019-11-14T17:10:15.151Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "533cc04e-1719-48a1-ac94-731ac0fffcb7", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "created-process", + "category": [ + "process" + ], + "code": "4688", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" + }, + "level": "information" + }, "process": { "args": [ "\"C:\\Windows\\system32\\wevtutil.exe\"", "cl", "Security" ], + "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", "parent": { - "name": "powershell.exe", - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "name": "powershell.exe" }, - "pid": 4556, - "executable": "C:\\Windows\\System32\\wevtutil.exe", - "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security" + "pid": 4556 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T17:10:15.151Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 5076 - } + "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "MandatoryLabel": "S-1-16-12288", + "ProcessId": "0x122c", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1937" }, + "event_id": "4688", "keywords": [ "Audit Success" ], @@ -39,65 +84,19 @@ "logon": { "id": "0x274a2" }, - "channel": "Security", - "event_data": { - "MandatoryLabel": "S-1-16-12288", - "TargetLogonId": "0x0", - "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", - "SubjectUserName": "vagrant", - "TokenElevationType": "%%1937", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274a2", - "ProcessId": "0x122c", - "TargetUserName": "-", - "TargetDomainName": "-", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "TargetUserSid": "S-1-0-0" - }, "opcode": "Info", - "version": 2, - "record_id": "5010", - "event_id": "4688", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 5076 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T17:10:15.151Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T05:19:50.337859764Z", - "code": "4688", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "created-process", - "category": [ - "process" - ], - "type": [ - "start" - ], - "outcome": "success" - }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" + "record_id": "5010", + "time_created": "2019-11-14T17:10:15.151Z", + "version": 2 } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json index 861d5830caa..037053f39e9 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -1,27 +1,65 @@ { "expected": [ { + "@timestamp": "2019-11-14T21:26:49.496Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", - "pid": 5412, - "executable": "C:\\Windows\\System32\\wevtutil.exe" + "pid": 5412 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T21:26:49.496Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 1168 - } + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" }, + "event_id": "4689", "keywords": [ "Audit Success" ], @@ -29,81 +67,80 @@ "logon": { "id": "0x274a2" }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "SubjectUserName": "vagrant", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274a2", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" - }, "opcode": "Info", - "record_id": "7538", - "event_id": "4689", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 1168 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T21:26:49.496Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "7538", + "time_created": "2019-11-14T21:26:49.496Z" + } + }, + { + "@timestamp": "2019-11-14T21:27:46.960Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:19:51.240508600Z", - "code": "4689", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "exited-process", "category": [ "process" ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\taskhostw.exe", "name": "taskhostw.exe", - "pid": 3988, - "executable": "C:\\Windows\\System32\\taskhostw.exe" + "pid": 3988 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T21:27:46.960Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 500 - } + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274f1", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" }, + "event_id": "4689", "keywords": [ "Audit Success" ], @@ -111,81 +148,80 @@ "logon": { "id": "0x274f1" }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "SubjectUserName": "vagrant", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274f1", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" - }, "opcode": "Info", - "record_id": "7542", - "event_id": "4689", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 500 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T21:27:46.960Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "7542", + "time_created": "2019-11-14T21:27:46.960Z" + } + }, + { + "@timestamp": "2019-11-14T21:28:18.460Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:19:51.240510778Z", - "code": "4689", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "exited-process", "category": [ "process" ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", - "pid": 2760, - "executable": "C:\\Windows\\System32\\wevtutil.exe" + "pid": 2760 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T21:28:18.460Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 5636 - } + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" }, + "event_id": "4689", "keywords": [ "Audit Success" ], @@ -193,57 +229,18 @@ "logon": { "id": "0x274a2" }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "SubjectUserName": "vagrant", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274a2", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" - }, "opcode": "Info", - "record_id": "7544", - "event_id": "4689", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 5636 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T21:28:18.460Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T05:19:51.240511243Z", - "code": "4689", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "exited-process", - "category": [ - "process" - ], - "type": [ - "end" - ], - "outcome": "success" - }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" + "record_id": "7544", + "time_created": "2019-11-14T21:28:18.460Z" } } ] diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index 9673dc30502..166af7fe76d 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -1,61 +1,21 @@ { "expected": [ { + "@timestamp": "2021-09-14T09:01:34.006Z", "agent": { - "name": "logcollector2", + "ephemeral_id": "b512edb8-9998-42bd-8941-e1e53d750cc9", "hostname": "logcollector2", "id": "ef67a54e-002d-4c31-a1c8-931a1a56bea4", - "ephemeral_id": "b512edb8-9998-42bd-8941-e1e53d750cc9", + "name": "logcollector2", "type": "filebeat", "version": "7.14.1" }, - "process": { - "entity_id": "{00000000-0000-0000-0000-000000000000}", - "pid": 6968, - "executable": "\u003cunknown process\u003e" - }, - "winlog": { - "computer_name": "Win2018Eval", - "record_id": "12337", - "process": { - "pid": 2412, - "thread": { - "id": 3596 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "api": "wineventlog", - "provider_name": "Microsoft-Windows-Sysmon", - "user": { - "name": "SYSTEM", - "identifier": "S-1-5-18", - "type": "User", - "domain": "NT AUTHORITY" - }, - "version": 5 - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "elastic_agent": { - "version": "7.14.1", - "snapshot": false, - "id": "ef67a54e-002d-4c31-a1c8-931a1a56bea4" + "data_stream": { + "dataset": "windows.forwarded", + "namespace": "default", + "type": "logs" }, "dns": { - "question": { - "name": "enterpriseregistration.windows.net", - "subdomain": "enterpriseregistration", - "registered_domain": "windows.net", - "top_level_domain": "net" - }, "answers": [ { "data": "adrs.privatelink.msidentity.com", @@ -70,22 +30,55 @@ "type": "A" } ], + "question": { + "name": "enterpriseregistration.windows.net", + "registered_domain": "windows.net", + "subdomain": "enterpriseregistration", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "tags": [ - "forwarded" - ], - "network": { - "protocol": "dns" + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "ef67a54e-002d-4c31-a1c8-931a1a56bea4", + "snapshot": false, + "version": "7.14.1" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2021-09-14T09:20:46.257Z", + "dataset": "windows.forwarded", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "Win2018Eval" }, "input": { "type": "winlog" }, - "@timestamp": "2021-09-14T09:01:34.006Z", - "ecs": { - "version": "8.0.0" + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{00000000-0000-0000-0000-000000000000}", + "executable": "\u003cunknown process\u003e", + "pid": 6968 }, "related": { "hosts": [ @@ -97,75 +90,43 @@ "89.160.20.156" ] }, - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "windows.forwarded" - }, - "host": { - "name": "Win2018Eval" - }, - "event": { - "ingested": "2022-01-12T05:19:53.803627077Z", - "code": "22", - "provider": "Microsoft-Windows-Sysmon", - "created": "2021-09-14T09:20:46.257Z", - "kind": "event", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ], - "dataset": "windows.forwarded" + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, + "tags": [ + "forwarded" + ], "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "66", + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "Win2018Eval", + "event_id": "22", "process": { - "pid": 2828, + "pid": 2412, "thread": { - "id": 1684 + "id": 3596 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "12337", "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "go.microsoft.com", - "subdomain": "go", - "registered_domain": "microsoft.com", - "top_level_domain": "com" + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "User" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.239Z", + "dns": { "answers": [ { "data": "go.microsoft.com.edgekey.net", @@ -180,16 +141,45 @@ "type": "A" } ], + "question": { + "name": "go.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "go", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.239Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -201,67 +191,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803629638Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025223900Z'/\u003e\u003cEventRecordID\u003e66\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.239\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ego.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "67", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "66", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.msn.com", - "subdomain": "www", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.261Z", + "dns": { "answers": [ { "data": "www-msn-com.a-0003.a-msedge.net", @@ -276,16 +236,45 @@ "type": "A" } ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.261Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -297,147 +286,116 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803630083Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025237700Z'/\u003e\u003cEventRecordID\u003e67\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.261\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "go.exe", - "pid": 2184, - "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", - "pe": { - "imphash": "d90d8c7812aec8da0fa173afa1293ab2" - }, - "hash": { - "md5": "199e1cf5b2250bd515ecccf4ca686301" - }, - "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "612", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 664, + "pid": 2828, "thread": { - "id": 2360 + "id": 1684 } }, - "event_id": "23", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "67", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": true - } - }, + }, + "version": 5 + } + }, + { "@timestamp": "2020-05-07T08:14:44.489Z", - "file": { - "name": "test.test.exe", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe", - "extension": "exe", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" + "event": { + "category": [ + "file" ], - "hash": [ - "199e1cf5b2250bd515ecccf4ca686301", - "d90d8c7812aec8da0fa173afa1293ab2" + "code": "23", + "created": "2020-05-07T08:14:44.489Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" ] }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001", + "extension": "exe", + "name": "test.test.exe", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" + }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:19:53.803630470Z", - "code": "23", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T08:14:44.489978500Z'/\u003e\u003cEventRecordID\u003e612\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 08:14:44.489\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-c36f-5eb3-2c07-290000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2184\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\u003c/Data\u003e\u003cData Name='IsExecutable'\u003etrue\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-07T08:14:44.489Z", - "category": [ - "file" + "process": { + "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", + "hash": { + "md5": "199e1cf5b2250bd515ecccf4ca686301" + }, + "name": "go.exe", + "pe": { + "imphash": "d90d8c7812aec8da0fa173afa1293ab2" + }, + "pid": 2184 + }, + "related": { + "hash": [ + "199e1cf5b2250bd515ecccf4ca686301", + "d90d8c7812aec8da0fa173afa1293ab2" ], - "type": [ - "deletion" + "user": [ + "vagrant" ] }, + "sysmon": { + "file": { + "archived": true, + "is_executable": true + } + }, "user": { - "name": "vagrant", "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "vagrant" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "68", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 664, "thread": { - "id": 1684 + "id": 2360 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "612", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static-global-s-msn-com.akamaized.net", - "subdomain": "static-global-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.449Z", + "dns": { "answers": [ { "data": "a1999.dscg2.akamai.net", @@ -452,17 +410,46 @@ "type": "A" } ], + "question": { + "name": "static-global-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-global-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.449Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -473,67 +460,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803630782Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025262300Z'/\u003e\u003cEventRecordID\u003e68\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.449\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-global-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1999.dscg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "69", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "68", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.bing.com", - "subdomain": "www", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.457Z", + "dns": { "answers": [ { "data": "a-0001.a-afdentry.net.trafficmanager.net", @@ -552,17 +509,46 @@ "type": "A" } ], + "question": { + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.457Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -574,234 +560,231 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803631106Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025273600Z'/\u003e\u003cEventRecordID\u003e69\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.457\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "69", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2020-05-05T14:57:40.589Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "created": "2020-05-05T14:57:40.599Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", "data": { "strings": [ "0x00000004" ], "type": "SZ_DWORD" }, - "value": "Key 1", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1" + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "value": "Key 1" }, - "process": { - "name": "regedit.exe", - "pid": 6072, - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", - "executable": "C:\\Windows\\regedit.exe" + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2020-05-05T14:57:40.589Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", - "record_id": "2682", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { "id": 876 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "2682", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-07T07:27:18.722Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803631446Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:40.599567200Z'/\u003e\u003cEventRecordID\u003e2682\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:40.589\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\u003c/Data\u003e\u003cData Name='Details'\u003eDWORD (0x00000004)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:40.599Z", "category": [ - "configuration", - "registry" + "file" ], + "code": "23", + "created": "2020-05-07T07:27:18.722Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ - "change" + "deletion" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local", + "extension": "dat", + "name": "lastalive0.dat", + "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + }, + "log": { + "level": "information" + }, "process": { - "name": "svchost.exe", - "pid": 776, "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { "sha1": "115106f5b338c87ae6836d50dd890de3da296367" }, - "executable": "C:\\Windows\\System32\\svchost.exe" + "name": "svchost.exe", + "pid": 776 + }, + "related": { + "hash": [ + "115106f5b338c87ae6836d50dd890de3da296367" + ], + "user": [ + "LOCAL SERVICE" + ] + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "LOCAL SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "11", + "event_id": "23", + "opcode": "Info", "process": { "pid": 664, "thread": { "id": 2360 } }, - "event_id": "23", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "11", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": false - } - }, - "@timestamp": "2020-05-07T07:27:18.722Z", - "file": { - "name": "lastalive0.dat", - "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat", - "extension": "dat", - "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.494Z", + "dns": { + "answers": [ + { + "data": "linkmaker.itunes.apple.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e4541.dsce9.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "89.160.20.156", + "type": "A" + } + ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, + "resolved_ip": [ + "89.160.20.156" + ] }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "LOCAL SERVICE" + "event": { + "category": [ + "network" ], - "hash": [ - "115106f5b338c87ae6836d50dd890de3da296367" + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" ] }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:19:53.803631751Z", - "code": "23", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-07T07:27:18.722136100Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='664' ThreadID='2360'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-07 07:27:18.722\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-b2b6-5eb3-18ab-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e776\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=115106F5B338C87AE6836D50DD890DE3DA296367\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-07T07:27:18.722Z", - "category": [ - "file" - ], - "type": [ - "deletion" - ] - }, - "user": { - "name": "LOCAL SERVICE", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" - }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "70", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "linkmaker.itunes.apple.com", - "subdomain": "linkmaker.itunes", - "registered_domain": "apple.com", - "top_level_domain": "com" - }, - "answers": [ - { - "data": "linkmaker.itunes.apple.com.edgekey.net", - "type": "CNAME" - }, - { - "data": "e4541.dsce9.akamaiedge.net", - "type": "CNAME" - }, - { - "data": "89.160.20.156", - "type": "A" - } - ], - "resolved_ip": [ - "89.160.20.156" - ] - }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.494Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -813,66 +796,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803632084Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025284200Z'/\u003e\u003cEventRecordID\u003e70\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elinkmaker.itunes.apple.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "71", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "70", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "confiant-integrations.global.ssl.fastly.net", - "top_level_domain": "global.ssl.fastly.net", - "registered_domain": "confiant-integrations.global.ssl.fastly.net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.810Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -891,6 +845,11 @@ "type": "A" } ], + "question": { + "name": "confiant-integrations.global.ssl.fastly.net", + "registered_domain": "confiant-integrations.global.ssl.fastly.net", + "top_level_domain": "global.ssl.fastly.net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -898,82 +857,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:01.810Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "confiant-integrations.global.ssl.fastly.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803632408Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025317300Z'/\u003e\u003cEventRecordID\u003e71\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.810\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econfiant-integrations.global.ssl.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "confiant-integrations.global.ssl.fastly.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "72", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "71", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c.msn.com", - "subdomain": "c", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.894Z", + "dns": { "answers": [ { "data": "c.msn.com.nsatc.net", @@ -984,87 +936,86 @@ "type": "A" } ], + "question": { + "name": "c.msn.com", + "registered_domain": "msn.com", + "subdomain": "c", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:01.894Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "c.msn.com.nsatc.net", - "c.msn.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803632730Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025330400Z'/\u003e\u003cEventRecordID\u003e72\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c.msn.com.nsatc.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "c.msn.com.nsatc.net", + "c.msn.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "73", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "72", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c.bing.com", - "subdomain": "c", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.948Z", + "dns": { "answers": [ { "data": "c-bing-com.a-0001.a-msedge.net", @@ -1083,17 +1034,46 @@ "type": "A" } ], + "question": { + "name": "c.bing.com", + "registered_domain": "bing.com", + "subdomain": "c", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:02.025Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:01.948Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1105,153 +1085,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803633197Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:02.025347300Z'/\u003e\u003cEventRecordID\u003e73\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:01.948\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:02.025Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "74", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "73", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "contextual.media.net", - "subdomain": "contextual", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.085Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "contextual.media.net", + "registered_domain": "media.net", + "subdomain": "contextual", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.085Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "contextual.media.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803633557Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028190100Z'/\u003e\u003cEventRecordID\u003e74\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.085\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003econtextual.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "contextual.media.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "75", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "74", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "at.atwola.com", - "subdomain": "at", - "registered_domain": "atwola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.174Z", + "dns": { "answers": [ { "data": "glb-ads.atwola.adtechus.com", @@ -1274,16 +1223,45 @@ "type": "A" } ], + "question": { + "name": "at.atwola.com", + "registered_domain": "atwola.com", + "subdomain": "at", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.174Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1297,67 +1275,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803633885Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028274700Z'/\u003e\u003cEventRecordID\u003e75\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.174\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eat.atwola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "76", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "75", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "m.adnxs.com", - "subdomain": "m", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.274Z", + "dns": { "answers": [ { "data": "microsoft.geo.appnexusgslb.net", @@ -1404,6 +1352,12 @@ "type": "A" } ], + "question": { + "name": "m.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "m", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -1416,12 +1370,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.274Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1440,67 +1417,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803634207Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028358900Z'/\u003e\u003cEventRecordID\u003e76\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003em.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "77", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "76", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cms.analytics.yahoo.com", - "subdomain": "cms.analytics", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.291Z", + "dns": { "answers": [ { "data": "spcms-global.pbp.gysm.yahoodns.net", @@ -1511,16 +1458,45 @@ "type": "A" } ], + "question": { + "name": "cms.analytics.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "cms.analytics", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.291Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1531,67 +1507,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803634527Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028412800Z'/\u003e\u003cEventRecordID\u003e77\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.291\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecms.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "78", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "77", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cvision.media.net", - "subdomain": "cvision", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.413Z", + "dns": { "answers": [ { "data": "cvision.media.net.edgekey.net", @@ -1606,88 +1552,87 @@ "type": "A" } ], + "question": { + "name": "cvision.media.net", + "registered_domain": "media.net", + "subdomain": "cvision", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.413Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "cvision.media.net.edgekey.net", - "e607.d.akamaiedge.net", - "cvision.media.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803635082Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", "category": [ "network" ], - "type": [ - "connection", - "protocol", - "info" + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028501000Z'/\u003e\u003cEventRecordID\u003e78\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecvision.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cvision.media.net.edgekey.net", + "e607.d.akamaiedge.net", + "cvision.media.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "79", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "78", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "g.bing.com", - "subdomain": "g", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.424Z", + "dns": { "answers": [ { "data": "g-bing-com.a-0001.a-msedge.net", @@ -1706,17 +1651,46 @@ "type": "A" } ], + "question": { + "name": "g.bing.com", + "registered_domain": "bing.com", + "subdomain": "g", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.424Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -1728,153 +1702,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803635566Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028585600Z'/\u003e\u003cEventRecordID\u003e79\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.424\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eg.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "80", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "79", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "lg3.media.net", - "subdomain": "lg3", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.427Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "lg3.media.net", + "registered_domain": "media.net", + "subdomain": "lg3", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.427Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "lg3.media.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803635951Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.028Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.028Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.028900300Z'/\u003e\u003cEventRecordID\u003e80\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.427\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elg3.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "lg3.media.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "81", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "80", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "service.sp.advertising.com", - "subdomain": "service.sp", - "registered_domain": "advertising.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.469Z", + "dns": { "answers": [ { "data": "service.sp.aolp-ds-prd.aws.oath.cloud", @@ -1893,150 +1836,148 @@ "type": "A" } ], + "question": { + "name": "service.sp.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "service.sp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.469Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "service.sp.aolp-ds-prd.aws.oath.cloud", - "service.sp.advertising.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803636815Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029031100Z'/\u003e\u003cEventRecordID\u003e81\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.469\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eservice.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "value": "HRZR_PGYFRFFVBA", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" }, "process": { - "name": "Explorer.EXE", - "pid": 4320, - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE" + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "service.sp.aolp-ds-prd.aws.oath.cloud", + "service.sp.advertising.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2020-05-05T14:57:44.714Z", "winlog": { - "computer_name": "vagrant", - "record_id": "2686", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 2828, "thread": { - "id": 876 + "id": 1684 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "81", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803637184Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:44.723Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:44.723Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.723248500Z'/\u003e\u003cEventRecordID\u003e2686\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "82", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 5496, "thread": { - "id": 1684 + "id": 876 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2686", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sb.scorecardresearch.com", - "subdomain": "sb", - "registered_domain": "scorecardresearch.com", - "top_level_domain": "com" }, + "version": 2 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.485Z", + "dns": { "answers": [ { "data": "sb.scorecardresearch.com.edgekey.net", @@ -2051,16 +1992,45 @@ "type": "A" } ], + "question": { + "name": "sb.scorecardresearch.com", + "registered_domain": "scorecardresearch.com", + "subdomain": "sb", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.485Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2072,67 +2042,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803637713Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029098400Z'/\u003e\u003cEventRecordID\u003e82\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.485\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "83", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "82", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "otf.msn.com", - "subdomain": "otf", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.500Z", + "dns": { "answers": [ { "data": "iceotf-prod-fe-tm.trafficmanager.net", @@ -2147,216 +2087,213 @@ "type": "A" } ], + "question": { + "name": "otf.msn.com", + "registered_domain": "msn.com", + "subdomain": "otf", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.500Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "iceotf-prod-fe-tm.trafficmanager.net", - "iceotf-prod-fe-eastus.cloudapp.net", - "otf.msn.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803638142Z", + "category": [ + "network" + ], "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029112900Z'/\u003e\u003cEventRecordID\u003e83\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.500\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eotf.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", - "data": { - "strings": [ - "5" - ], - "type": "SZ_QWORD" - }, - "value": "Key 2", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2" + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" }, "process": { - "name": "regedit.exe", - "pid": 6072, - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", - "executable": "C:\\Windows\\regedit.exe" + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "iceotf-prod-fe-tm.trafficmanager.net", + "iceotf-prod-fe-eastus.cloudapp.net", + "otf.msn.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2020-05-05T14:57:44.714Z", "winlog": { - "computer_name": "vagrant", - "record_id": "2687", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 2828, "thread": { - "id": 876 + "id": 1684 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "83", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803638702Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:44.726Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:44.726Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:44.726009900Z'/\u003e\u003cEventRecordID\u003e2687\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:44.714\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-77ae-5eb1-2c03-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e6072\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\regedit.exe\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\u003c/Data\u003e\u003cData Name='Details'\u003eQWORD (0x00000000-0x00000005)\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, "registry": { + "data": { + "strings": [ + "5" + ], + "type": "SZ_QWORD" + }, "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", - "value": "ertrqvg.rkr", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr" + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "value": "Key 2" }, - "process": { - "name": "Explorer.EXE", - "pid": 4320, - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE" + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2020-05-05T14:57:46.808Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", - "record_id": "2690", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { "pid": 5496, "thread": { "id": 876 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "2687", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803639052Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:46.818Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:46.818Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818821400Z'/\u003e\u003cEventRecordID\u003e2690\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "value": "ertrqvg.rkr" + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "84", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 5496, "thread": { - "id": 1684 + "id": 876 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2690", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ping.chartbeat.net", - "subdomain": "ping", - "registered_domain": "chartbeat.net", - "top_level_domain": "net" }, + "version": 2 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.580Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -2391,6 +2328,12 @@ "type": "A" } ], + "question": { + "name": "ping.chartbeat.net", + "registered_domain": "chartbeat.net", + "subdomain": "ping", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2402,81 +2345,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.580Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ping.chartbeat.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803639427Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029126300Z'/\u003e\u003cEventRecordID\u003e84\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.580\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eping.chartbeat.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "85", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } + "related": { + "hosts": [ + "ping.chartbeat.net" + ], + "ip": [ + "89.160.20.156" + ] }, "sysmon": { "dns": { "status": "SUCCESS" } }, - "log": { - "level": "information" + "user": { + "id": "S-1-5-18" }, - "dns": { - "question": { - "name": "clarium.freetls.fastly.net", - "top_level_domain": "freetls.fastly.net", - "registered_domain": "clarium.freetls.fastly.net" + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "84", + "user": { + "identifier": "S-1-5-18" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.628Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -2495,6 +2432,11 @@ "type": "A" } ], + "question": { + "name": "clarium.freetls.fastly.net", + "registered_domain": "clarium.freetls.fastly.net", + "top_level_domain": "freetls.fastly.net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2502,82 +2444,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.628Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "clarium.freetls.fastly.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803639883Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029148500Z'/\u003e\u003cEventRecordID\u003e85\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.628\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eclarium.freetls.fastly.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "clarium.freetls.fastly.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "86", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "85", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "nym1-ib.adnxs.com", - "subdomain": "nym1-ib", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.633Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -2632,6 +2567,12 @@ "type": "A" } ], + "question": { + "name": "nym1-ib.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "nym1-ib", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2648,12 +2589,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.633Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2668,67 +2632,37 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803640312Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029159100Z'/\u003e\u003cEventRecordID\u003e86\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.633\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003enym1-ib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "87", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "86", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "eb2.3lift.com", - "subdomain": "eb2", - "registered_domain": "3lift.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.716Z", + "dns": { "answers": [ { "data": "us-east-eb2.3lift.com", @@ -2775,6 +2709,12 @@ "type": "A" } ], + "question": { + "name": "eb2.3lift.com", + "registered_domain": "3lift.com", + "subdomain": "eb2", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -2787,12 +2727,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.716Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2805,74 +2768,44 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803640720Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029240500Z'/\u003e\u003cEventRecordID\u003e87\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.716\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eeb2.3lift.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "88", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "87", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.727Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "px.ads.linkedin.com", - "subdomain": "px.ads", - "registered_domain": "linkedin.com", - "top_level_domain": "com" - }, "answers": [ { "data": "mix.linkedin.com", @@ -2923,6 +2856,12 @@ "type": "A" } ], + "question": { + "name": "px.ads.linkedin.com", + "registered_domain": "linkedin.com", + "subdomain": "px.ads", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -2936,12 +2875,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.727Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -2962,67 +2924,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803641222Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029251400Z'/\u003e\u003cEventRecordID\u003e88\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.727\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epx.ads.linkedin.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "89", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "88", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "login.live.com", - "subdomain": "login", - "registered_domain": "live.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.733Z", + "dns": { "answers": [ { "data": "login.msa.msidentity.com", @@ -3045,18 +2977,47 @@ "type": "A" } ], + "question": { + "name": "login.live.com", + "registered_domain": "live.com", + "subdomain": "login", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.733Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3068,74 +3029,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803641593Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029260200Z'/\u003e\u003cEventRecordID\u003e89\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.733\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003elogin.live.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "90", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "89", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.792Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "dis.criteo.com", - "subdomain": "dis", - "registered_domain": "criteo.com", - "top_level_domain": "com" - }, "answers": [ { "data": "89.160.20.156", @@ -3186,6 +3117,12 @@ "type": "A" } ], + "question": { + "name": "dis.criteo.com", + "registered_domain": "criteo.com", + "subdomain": "dis", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -3201,18 +3138,41 @@ "192.168.51.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:02.792Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "dis.criteo.com" - ], - "ip": [ + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dis.criteo.com" + ], + "ip": [ "89.160.20.156", "192.168.6.30", "2001:503:a83e::2:30", @@ -3227,67 +3187,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803641935Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029315200Z'/\u003e\u003cEventRecordID\u003e90\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edis.criteo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "91", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "90", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ib.adnxs.com", - "subdomain": "ib", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.792Z", + "dns": { "answers": [ { "data": "g.geogslb.com", @@ -3342,6 +3272,12 @@ "type": "A" } ], + "question": { + "name": "ib.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "ib", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -3356,12 +3292,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.792Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3376,67 +3335,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803642337Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029331100Z'/\u003e\u003cEventRecordID\u003e91\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.792\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eib.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "92", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "91", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.g.doubleclick.net", - "subdomain": "cm.g", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.809Z", + "dns": { "answers": [ { "data": "pagead.l.doubleclick.net", @@ -3447,16 +3376,45 @@ "type": "A" } ], + "question": { + "name": "cm.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "cm.g", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.809Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3467,71 +3425,41 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803642694Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029339900Z'/\u003e\u003cEventRecordID\u003e92\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.809\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "93", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "92", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.adsrvr.org", - "subdomain": "match", - "registered_domain": "adsrvr.org", - "top_level_domain": "org" }, - "answers": [ - { - "data": "match-975362022.us-east-1.elb.amazonaws.com", - "type": "CNAME" + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.821Z", + "dns": { + "answers": [ + { + "data": "match-975362022.us-east-1.elb.amazonaws.com", + "type": "CNAME" }, { "data": "89.160.20.156", @@ -3574,6 +3502,12 @@ "type": "A" } ], + "question": { + "name": "match.adsrvr.org", + "registered_domain": "adsrvr.org", + "subdomain": "match", + "top_level_domain": "org" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -3587,12 +3521,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.821Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3606,67 +3563,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803643215Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029350100Z'/\u003e\u003cEventRecordID\u003e93\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.adsrvr.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "94", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "93", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ssum-sec.casalemedia.com", - "subdomain": "ssum-sec", - "registered_domain": "casalemedia.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.821Z", + "dns": { "answers": [ { "data": "ssum-sec.casalemedia.com.edgekey.net", @@ -3681,16 +3608,45 @@ "type": "A" } ], + "question": { + "name": "ssum-sec.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "ssum-sec", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.821Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3702,67 +3658,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803643592Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029358900Z'/\u003e\u003cEventRecordID\u003e94\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.821\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003essum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "95", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "94", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "protected-by.clarium.io", - "subdomain": "protected-by", - "registered_domain": "clarium.io", - "top_level_domain": "io" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.828Z", + "dns": { "answers": [ { "data": "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", @@ -3809,6 +3735,12 @@ "type": "AAAA" } ], + "question": { + "name": "protected-by.clarium.io", + "registered_domain": "clarium.io", + "subdomain": "protected-by", + "top_level_domain": "io" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -3822,12 +3754,35 @@ "2001:503:a83e::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.828Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3840,67 +3795,37 @@ "2001:503:a83e::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803643909Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029369500Z'/\u003e\u003cEventRecordID\u003e95\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.828\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprotected-by.clarium.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "96", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "95", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pagead2.googlesyndication.com", - "subdomain": "pagead2", - "registered_domain": "googlesyndication.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.838Z", + "dns": { "answers": [ { "data": "pagead46.l.doubleclick.net", @@ -3911,16 +3836,45 @@ "type": "A" } ], + "question": { + "name": "pagead2.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "pagead2", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.838Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -3931,67 +3885,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803644315Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029379000Z'/\u003e\u003cEventRecordID\u003e96\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.838\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epagead2.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "97", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "96", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "googleads.g.doubleclick.net", - "subdomain": "googleads.g", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.839Z", + "dns": { "answers": [ { "data": "pagead46.l.doubleclick.net", @@ -4002,16 +3926,45 @@ "type": "A" } ], + "question": { + "name": "googleads.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads.g", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.839Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4022,67 +3975,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803644714Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029388500Z'/\u003e\u003cEventRecordID\u003e97\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.839\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "98", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "97", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.advertising.com", - "subdomain": "pixel", - "registered_domain": "advertising.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.841Z", + "dns": { "answers": [ { "data": "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", @@ -4125,6 +4048,12 @@ "type": "A" } ], + "question": { + "name": "pixel.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4136,12 +4065,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.841Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4153,67 +4105,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803645047Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029398800Z'/\u003e\u003cEventRecordID\u003e98\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.841\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "99", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "98", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "onevideosync.uplynk.com", - "subdomain": "onevideosync", - "registered_domain": "uplynk.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.844Z", + "dns": { "answers": [ { "data": "uplynk.adaptv.advertising.com", @@ -4248,6 +4170,12 @@ "type": "A" } ], + "question": { + "name": "onevideosync.uplynk.com", + "registered_domain": "uplynk.com", + "subdomain": "onevideosync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4256,12 +4184,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.844Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4277,115 +4228,84 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803645436Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029408600Z'/\u003e\u003cEventRecordID\u003e99\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.844\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eonevideosync.uplynk.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "@timestamp": "2019-03-18T16:57:37.933Z", + }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "1", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4616, + "pid": 2828, "thread": { - "id": 4724 + "id": 1684 } }, - "event_id": "16", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "99", "user": { - "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:37.933Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803645858Z", - "code": "16", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:37.933Z", "category": [ "configuration" ], + "code": "16", + "created": "2019-03-18T16:57:37.933Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e16\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e16\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:37.933324000Z'/\u003e\u003cEventRecordID\u003e1\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4616' ThreadID='4724'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-3541430928-2051711210-1391384369-1001'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.933\u003c/Data\u003e\u003cData Name='Configuration'\u003eC:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\u003c/Data\u003e\u003cData Name='ConfigurationFileHash'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, "user": { "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "100", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" + }, + "event_id": "16", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4616, "thread": { - "id": 1684 + "id": 4724 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "1", "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ad.turn.com", - "subdomain": "ad", - "registered_domain": "turn.com", - "top_level_domain": "com" + "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.956Z", + "dns": { "answers": [ { "data": "ad.turn.com.akadns.net", @@ -4396,16 +4316,45 @@ "type": "A" } ], + "question": { + "name": "ad.turn.com", + "registered_domain": "turn.com", + "subdomain": "ad", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:02.956Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4416,67 +4365,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803646309Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.029416700Z'/\u003e\u003cEventRecordID\u003e100\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:02.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.turn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ad.turn.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "101", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "100", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ups.analytics.yahoo.com", - "subdomain": "ups.analytics", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.005Z", + "dns": { "answers": [ { "data": "prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud", @@ -4515,10 +4434,16 @@ "type": "A" } ], - "resolved_ip": [ - "89.160.20.156", - "89.160.20.156", - "89.160.20.156", + "question": { + "name": "ups.analytics.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "ups.analytics", + "top_level_domain": "com" + }, + "resolved_ip": [ + "89.160.20.156", + "89.160.20.156", + "89.160.20.156", "89.160.20.156", "89.160.20.156", "89.160.20.156", @@ -4526,12 +4451,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.611Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.005Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4542,67 +4490,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803646618Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.611619700Z'/\u003e\u003cEventRecordID\u003e101\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.005\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eups.analytics.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.611Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "102", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "101", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pm.w55c.net", - "subdomain": "pm", - "registered_domain": "w55c.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.070Z", + "dns": { "answers": [ { "data": "dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com", @@ -4653,6 +4571,12 @@ "type": "A" } ], + "question": { + "name": "pm.w55c.net", + "registered_domain": "w55c.net", + "subdomain": "pm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -4667,12 +4591,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.070Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4686,67 +4633,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803646948Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802369600Z'/\u003e\u003cEventRecordID\u003e102\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epm.w55c.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "103", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "102", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.eyereturn.com", - "subdomain": "cm", - "registered_domain": "eyereturn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.093Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -4797,6 +4714,12 @@ "type": "A" } ], + "question": { + "name": "cm.eyereturn.com", + "registered_domain": "eyereturn.com", + "subdomain": "cm", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -4812,12 +4735,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.093Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4838,67 +4784,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803647272Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802391800Z'/\u003e\u003cEventRecordID\u003e103\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.093\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.eyereturn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "104", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "103", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.googletagservices.com", - "subdomain": "www", - "registered_domain": "googletagservices.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.099Z", + "dns": { "answers": [ { "data": "pagead46.l.doubleclick.net", @@ -4909,16 +4825,45 @@ "type": "A" } ], + "question": { + "name": "www.googletagservices.com", + "registered_domain": "googletagservices.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.099Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -4929,67 +4874,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803647656Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802402000Z'/\u003e\u003cEventRecordID\u003e104\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.099\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.googletagservices.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead46.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "105", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "104", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.adgrx.com", - "subdomain": "cm", - "registered_domain": "adgrx.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.107Z", + "dns": { "answers": [ { "data": "rtb.adgrx.com", @@ -5040,6 +4955,12 @@ "type": "AAAA" } ], + "question": { + "name": "cm.adgrx.com", + "registered_domain": "adgrx.com", + "subdomain": "cm", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -5054,12 +4975,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.107Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5080,67 +5024,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803648047Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802413000Z'/\u003e\u003cEventRecordID\u003e105\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adgrx.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 rtb.adgrx.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "106", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "105", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "csm2waycm-atl.netmng.com", - "subdomain": "csm2waycm-atl", - "registered_domain": "netmng.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.107Z", + "dns": { "answers": [ { "data": "j2waycm.netmng.com", @@ -5187,6 +5101,12 @@ "type": "AAAA" } ], + "question": { + "name": "csm2waycm-atl.netmng.com", + "registered_domain": "netmng.com", + "subdomain": "csm2waycm-atl", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -5199,12 +5119,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.107Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5224,117 +5167,86 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803648422Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802423900Z'/\u003e\u003cEventRecordID\u003e106\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.107\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecsm2waycm-atl.netmng.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "@timestamp": "2019-03-18T16:57:38.011Z", + }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "2", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4516 + "id": 1684 } }, - "event_id": "4", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "SchemaVersion": "4.20", - "Version": "9.01", - "State": "Started" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "106", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.011Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803648853Z", - "code": "4", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.011Z", "category": [ "process" ], + "code": "4", + "created": "2019-03-18T16:57:38.011Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e4\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e2\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.011\u003c/Data\u003e\u003cData Name='State'\u003eStarted\u003c/Data\u003e\u003cData Name='Version'\u003e9.01\u003c/Data\u003e\u003cData Name='SchemaVersion'\u003e4.20\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "log": { + "level": "information" + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "107", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SchemaVersion": "4.20", + "State": "Started", + "Version": "9.01" + }, + "event_id": "4", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pr-bh.ybp.yahoo.com", - "subdomain": "pr-bh.ybp", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.112Z", + "dns": { "answers": [ { "data": "ds-pr-bh.ybp.gysm.yahoodns.net", @@ -5345,16 +5257,45 @@ "type": "A" } ], + "question": { + "name": "pr-bh.ybp.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "pr-bh.ybp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.112Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5365,257 +5306,225 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803649391Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802433000Z'/\u003e\u003cEventRecordID\u003e107\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.112\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epr-bh.ybp.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "108", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "107", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ps.eyeota.net", - "subdomain": "ps", - "registered_domain": "eyeota.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.113Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "ps.eyeota.net", + "registered_domain": "eyeota.net", + "subdomain": "ps", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.113Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ps.eyeota.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803649743Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802441200Z'/\u003e\u003cEventRecordID\u003e108\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.113\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eps.eyeota.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ps.eyeota.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "108", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-03-18T16:57:37.949Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2019-03-18T16:57:38.011Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\Sysmon.exe" ], + "args_count": 1, + "command_line": "C:\\Windows\\Sysmon.exe", + "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "executable": "C:\\Windows\\Sysmon.exe", + "hash": { + "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + }, + "name": "Sysmon.exe", "parent": { "args": [ "C:\\Windows\\system32\\services.exe" ], - "name": "services.exe", - "pid": 488, "args_count": 1, + "command_line": "C:\\Windows\\system32\\services.exe", "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", "executable": "C:\\Windows\\System32\\services.exe", - "command_line": "C:\\Windows\\system32\\services.exe" + "name": "services.exe", + "pid": 488 }, "pe": { - "file_version": "9.01", + "company": "Sysinternals - www.sysinternals.com", "description": "System activity monitor", - "product": "Sysinternals Sysmon", - "company": "Sysinternals - www.sysinternals.com" + "file_version": "9.01", + "product": "Sysinternals Sysmon" }, - "name": "Sysmon.exe", "pid": 4860, - "working_directory": "C:\\Windows\\system32\\", - "args_count": 1, - "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", - "hash": { - "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - }, - "executable": "C:\\Windows\\Sysmon.exe", - "command_line": "C:\\Windows\\Sysmon.exe" + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-18T16:57:37.949Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "3", - "process": { - "pid": 4860, - "thread": { - "id": 4516 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", "event_data": { "Company": "Sysinternals - www.sysinternals.com", "Description": "System activity monitor", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", - "IntegrityLevel": "System", - "TerminalSessionId": "0", "FileVersion": "9.01", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", "Product": "Sysinternals Sysmon", - "LogonId": "0x3e7" + "TerminalSessionId": "0" }, + "event_id": "1", "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "3", "user": { "identifier": "S-1-5-18" - } - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "SYSTEM" - ], - "hash": [ - "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - ] - }, - "log": { - "level": "information" - }, - "event": { - "ingested": "2022-01-12T05:19:53.803650122Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e3\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.949\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-0010c73e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4860\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e9.01\u003c/Data\u003e\u003cData Name='Description'\u003eSystem activity monitor\u003c/Data\u003e\u003cData Name='Product'\u003eSysinternals Sysmon\u003c/Data\u003e\u003cData Name='Company'\u003eSysinternals - www.sysinternals.com\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\Sysmon.exe\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0010f14d0000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e488\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\services.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\services.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.011Z", - "category": [ - "process" - ], - "type": [ - "start" - ] - }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-07-18T03:34:03.146Z", "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", "type": "filebeat", "version": "8.0.0" }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" - }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "109", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, "dns": { - "question": { - "name": "idpix.media6degrees.com", - "subdomain": "idpix", - "registered_domain": "media6degrees.com", - "top_level_domain": "com" - }, "answers": [ { "data": "idpix.media6degrees.com.cdn.cloudflare.net", @@ -5638,17 +5547,46 @@ "type": "A" } ], + "question": { + "name": "idpix.media6degrees.com", + "registered_domain": "media6degrees.com", + "subdomain": "idpix", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.146Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5661,67 +5599,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803650822Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802456000Z'/\u003e\u003cEventRecordID\u003e109\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidpix.media6degrees.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "110", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "109", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tpc.googlesyndication.com", - "subdomain": "tpc", - "registered_domain": "googlesyndication.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.146Z", + "dns": { "answers": [ { "data": "pagead-googlehosted.l.google.com", @@ -5764,6 +5672,12 @@ "type": "AAAA" } ], + "question": { + "name": "tpc.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "tpc", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -5776,12 +5690,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.146Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -5800,170 +5737,139 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803651246Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802466200Z'/\u003e\u003cEventRecordID\u003e110\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.146\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead-googlehosted.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "110", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-03-18T16:57:37.964Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2019-03-18T16:57:38.011Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\system32\\wbem\\unsecapp.exe", "-Embedding" ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", + "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", + "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", + "hash": { + "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" + }, + "name": "unsecapp.exe", "parent": { "args": [ "C:\\Windows\\system32\\svchost.exe", "-k", "DcomLaunch" ], - "name": "svchost.exe", - "pid": 560, "args_count": 3, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", "executable": "C:\\Windows\\System32\\svchost.exe", - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" + "name": "svchost.exe", + "pid": 560 }, "pe": { - "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "company": "Microsoft Corporation", "description": "Sink to receive asynchronous callbacks for WMI client application", - "product": "Microsoft« Windows« Operating System", - "company": "Microsoft Corporation" + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft« Windows« Operating System" }, - "name": "unsecapp.exe", "pid": 5028, - "working_directory": "C:\\Windows\\system32\\", - "args_count": 2, - "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", - "hash": { - "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" - }, - "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", - "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding" - }, - "@timestamp": "2019-03-18T16:57:37.964Z", - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "4", - "process": { - "pid": 4860, - "thread": { - "id": 4516 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "Company": "Microsoft Corporation", - "Description": "Sink to receive asynchronous callbacks for WMI client application", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", - "IntegrityLevel": "System", - "TerminalSessionId": "0", - "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", - "Product": "Microsoft« Windows« Operating System", - "LogonId": "0x3e7" - }, - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, - "ecs": { - "version": "8.0.0" + "working_directory": "C:\\Windows\\system32\\" }, "related": { - "user": [ - "SYSTEM" - ], "hash": [ "6df8163a6320b80b60733f9d62e2f39b4b16b678" - ] - }, - "log": { - "level": "information" - }, - "host": { - "name": "vagrant-2012-r2" - }, - "event": { - "ingested": "2022-01-12T05:19:53.803651763Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.011477000Z'/\u003e\u003cEventRecordID\u003e4\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:37.964\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce01-5c8f-0000-00102c412a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5028\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\unsecapp.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eSink to receive asynchronous callbacks for WMI client application\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.011Z", - "category": [ - "process" ], - "type": [ - "start" + "user": [ + "SYSTEM" ] }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "111", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Sink to receive asynchronous callbacks for WMI client application", + "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", + "Product": "Microsoft« Windows« Operating System", + "TerminalSessionId": "0" + }, + "event_id": "1", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "4", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "image2.pubmatic.com", - "subdomain": "image2", - "registered_domain": "pubmatic.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.182Z", + "dns": { "answers": [ { "data": "pug44000nfc.pubmatic.com", @@ -6010,6 +5916,12 @@ "type": "AAAA" } ], + "question": { + "name": "image2.pubmatic.com", + "registered_domain": "pubmatic.com", + "subdomain": "image2", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -6022,12 +5934,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.182Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6047,67 +5982,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803652106Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802480600Z'/\u003e\u003cEventRecordID\u003e111\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.182\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimage2.pubmatic.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "112", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "111", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sam.msn.com", - "subdomain": "sam", - "registered_domain": "msn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.183Z", + "dns": { "answers": [ { "data": "www.msn.com", @@ -6126,17 +6031,46 @@ "type": "A" } ], - "resolved_ip": [ - "89.160.20.156" - ] - }, - "network": { - "protocol": "dns" + "question": { + "name": "sam.msn.com", + "registered_domain": "msn.com", + "subdomain": "sam", + "top_level_domain": "com" + }, + "resolved_ip": [ + "89.160.20.156" + ] }, - "@timestamp": "2019-07-18T03:34:03.183Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, "related": { "hosts": [ "www.msn.com", @@ -6148,67 +6082,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803652512Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802496100Z'/\u003e\u003cEventRecordID\u003e112\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.183\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esam.msn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "113", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "112", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.sca1b.amazontrust.com", - "subdomain": "ocsp.sca1b", - "registered_domain": "amazontrust.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.222Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -6259,6 +6163,12 @@ "type": "AAAA" } ], + "question": { + "name": "ocsp.sca1b.amazontrust.com", + "registered_domain": "amazontrust.com", + "subdomain": "ocsp.sca1b", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -6274,12 +6184,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.222Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6297,67 +6230,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803652908Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802516200Z'/\u003e\u003cEventRecordID\u003e113\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.222\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sca1b.amazontrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "114", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "113", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c1.adform.net", - "subdomain": "c1", - "registered_domain": "adform.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.271Z", + "dns": { "answers": [ { "data": "track.adformnet.akadns.net", @@ -6376,17 +6279,46 @@ "type": "A" } ], + "question": { + "name": "c1.adform.net", + "registered_domain": "adform.net", + "subdomain": "c1", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.271Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6398,67 +6330,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803653272Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802540200Z'/\u003e\u003cEventRecordID\u003e114\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ec1.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "115", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "114", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "urs.microsoft.com", - "subdomain": "urs", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.271Z", + "dns": { "answers": [ { "data": "wd-prod-ss.trafficmanager.net", @@ -6493,6 +6395,12 @@ "type": "A" } ], + "question": { + "name": "urs.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "urs", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -6502,12 +6410,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.271Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6524,67 +6455,37 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803653748Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802550800Z'/\u003e\u003cEventRecordID\u003e115\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.271\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eurs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "116", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "115", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dsum-sec.casalemedia.com", - "subdomain": "dsum-sec", - "registered_domain": "casalemedia.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.290Z", + "dns": { "answers": [ { "data": "dsum-sec.casalemedia.com.edgekey.net", @@ -6599,16 +6500,45 @@ "type": "A" } ], + "question": { + "name": "dsum-sec.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "dsum-sec", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.290Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6620,67 +6550,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803654218Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802560700Z'/\u003e\u003cEventRecordID\u003e116\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.290\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum-sec.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "117", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "116", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.godaddy.com", - "subdomain": "ocsp", - "registered_domain": "godaddy.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.292Z", + "dns": { "answers": [ { "data": "ocsp.godaddy.com.akadns.net", @@ -6691,16 +6591,45 @@ "type": "A" } ], + "question": { + "name": "ocsp.godaddy.com", + "registered_domain": "godaddy.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.292Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -6711,266 +6640,233 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803654589Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802569800Z'/\u003e\u003cEventRecordID\u003e117\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.292\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.godaddy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.godaddy.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "118", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "117", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.315Z", "dns": { "question": { "name": "googleads.g.doubleclick.net", - "subdomain": "googleads.g", "registered_domain": "doubleclick.net", + "subdomain": "googleads.g", "top_level_domain": "net" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "googleads.g.doubleclick.net" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803654919Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802587100Z'/\u003e\u003cEventRecordID\u003e118\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "googleads.g.doubleclick.net" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "119", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "118", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.315Z", "dns": { "question": { "name": "tpc.googlesyndication.com", - "subdomain": "tpc", "registered_domain": "googlesyndication.com", + "subdomain": "tpc", "top_level_domain": "com" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.315Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "tpc.googlesyndication.com" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803655292Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802678700Z'/\u003e\u003cEventRecordID\u003e119\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.315\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etpc.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tpc.googlesyndication.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "Sysmon.exe", - "pid": 4616, - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", - "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe" }, - "@timestamp": "2019-03-18T16:57:38.981Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "5", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4516 + "id": 1684 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "119", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803655634Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.981Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:38.981Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e5\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", + "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4616 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "120", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "5", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.usertrust.com", - "subdomain": "ocsp", - "registered_domain": "usertrust.com", - "top_level_domain": "com" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.333Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -7017,6 +6913,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.usertrust.com", + "registered_domain": "usertrust.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -7030,12 +6932,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.333Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7055,67 +6980,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803656014Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802700200Z'/\u003e\u003cEventRecordID\u003e120\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.333\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.usertrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "121", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "120", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "isrg.trustid.ocsp.identrust.com", - "subdomain": "isrg.trustid.ocsp", - "registered_domain": "identrust.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.343Z", + "dns": { "answers": [ { "data": "isrg.trustid.ocsp.identrust.com.edgesuite.net", @@ -7134,17 +7029,46 @@ "type": "A" } ], + "question": { + "name": "isrg.trustid.ocsp.identrust.com", + "registered_domain": "identrust.com", + "subdomain": "isrg.trustid.ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.343Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7156,67 +7080,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803656394Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802715400Z'/\u003e\u003cEventRecordID\u003e121\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.343\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eisrg.trustid.ocsp.identrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "122", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "121", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ad.doubleclick.net", - "subdomain": "ad", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.391Z", + "dns": { "answers": [ { "data": "dart.l.doubleclick.net", @@ -7227,16 +7121,45 @@ "type": "A" } ], + "question": { + "name": "ad.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "ad", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.391Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7247,118 +7170,87 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803656782Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802729100Z'/\u003e\u003cEventRecordID\u003e122\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.391\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ead.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dart.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "Sysmon.exe", - "pid": 4648, - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", - "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe" }, - "@timestamp": "2019-03-18T16:57:38.981Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "6", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4516 + "id": 1684 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "122", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803657299Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:38.981Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:38.981Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:38.981137800Z'/\u003e\u003cEventRecordID\u003e6\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:38.981\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cdf4-5c8f-0000-0010071e2a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4648\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Users\\vagrant\\Downloads\\Sysmon.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", + "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4648 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "123", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "6", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.sectigo.com", - "subdomain": "ocsp", - "registered_domain": "sectigo.com", - "top_level_domain": "com" }, + "version": 3 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.393Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -7405,6 +7297,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.sectigo.com", + "registered_domain": "sectigo.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -7418,12 +7316,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.393Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7443,485 +7364,450 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803657770Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802739000Z'/\u003e\u003cEventRecordID\u003e123\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.393\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.sectigo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "123", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } }, { + "@timestamp": "2019-03-18T16:57:39.012Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "created": "2019-03-18T16:57:39.012Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "log": { + "level": "information" + }, "process": { "args": [ "C:\\Windows\\system32\\wbem\\wmiprvse.exe", "-Embedding" ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", + "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "hash": { + "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + }, + "name": "WmiPrvSE.exe", "parent": { "args": [ "C:\\Windows\\system32\\svchost.exe", "-k", "DcomLaunch" ], - "name": "svchost.exe", - "pid": 560, "args_count": 3, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", "executable": "C:\\Windows\\System32\\svchost.exe", - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" + "name": "svchost.exe", + "pid": 560 }, "pe": { - "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "company": "Microsoft Corporation", "description": "WMI Provider Host", - "product": "Microsoft« Windows« Operating System", - "company": "Microsoft Corporation" + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft« Windows« Operating System" }, - "name": "WmiPrvSE.exe", "pid": 4508, - "working_directory": "C:\\Windows\\system32\\", - "args_count": 2, - "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", - "hash": { - "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" - }, - "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-18T16:57:39.012Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "7", - "process": { - "pid": 4860, - "thread": { - "id": 4516 - } - }, - "event_id": "1", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", "event_data": { "Company": "Microsoft Corporation", "Description": "WMI Provider Host", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", - "IntegrityLevel": "System", - "TerminalSessionId": "0", "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", "Product": "Microsoft« Windows« Operating System", - "LogonId": "0x3e7" + "TerminalSessionId": "0" }, + "event_id": "1", "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "7", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:47.847Z", + "destination": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 53 }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" + "event": { + "category": [ + "network" ], - "hash": [ - "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + "code": "3", + "created": "2019-03-18T16:57:49.089Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" ] }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:19:53.803658252Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:39.012744700Z'/\u003e\u003cEventRecordID\u003e7\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:39.012\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ce03-5c8f-0000-0010e9462a00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4508\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e6.3.9600.16384 (winblue_rtm.130821-1623)\u003c/Data\u003e\u003cData Name='Description'\u003eWMI Provider Host\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='CommandLine'\u003eC:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Windows\\system32\\\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{42f11c3b-6e1a-5c8c-0000-0020e7030000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x3e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e0\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eSystem\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{42f11c3b-6e1b-5c8c-0000-00102f610000}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e560\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\system32\\svchost.exe -k DcomLaunch\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:39.012Z", - "category": [ - "process" + "network": { + "community_id": "1:o5sHG56d/GR7mu8ASz0uSsv7uF0=", + "direction": "egress", + "protocol": "domain", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" ], - "type": [ - "start" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 62141 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "8", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "8", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.070Z", "destination": { - "port": 53, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "source": { - "port": 62141, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "network": { - "protocol": "domain", - "community_id": "1:o5sHG56d/GR7mu8ASz0uSsv7uF0=", - "transport": "udp", - "type": "ipv6", - "direction": "egress" + "ip": "10.0.2.3", + "port": 53 }, - "@timestamp": "2019-03-18T16:57:47.847Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "NETWORK SERVICE" - ], - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803658764Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e8\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:47.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.089Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.089Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "NETWORK SERVICE", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" - }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "9", - "process": { - "pid": 4860, - "thread": { - "id": 4492 - } - }, - "event_id": "3", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } - }, "log": { "level": "information" }, - "destination": { - "port": 53, - "ip": "10.0.2.3" - }, - "source": { - "port": 62141, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, "network": { - "protocol": "domain", "community_id": "1:TXczQujzvcGYSvZ/CKEBu1p2riE=", + "direction": "ingress", + "protocol": "domain", "transport": "udp", - "type": "ipv4", - "direction": "ingress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.070Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, "related": { - "user": [ - "NETWORK SERVICE" - ], "ip": [ "10.0.2.15", "10.0.2.3" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803659196Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.089723100Z'/\u003e\u003cEventRecordID\u003e9\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e62141\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e53\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003edomain\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.089Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 62141 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "10", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "9", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.148Z", + "destination": { + "ip": "89.160.20.156", + "port": 443 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 443, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 1138, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "https", "community_id": "1:BPIgbA//CuXUCUo7V4pQn4uLQOk=", + "direction": "egress", + "protocol": "https", "transport": "tcp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.148Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 }, "related": { - "user": [ - "vagrant" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803659797Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e10\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.148\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1138\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "vagrant" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1138 + }, "user": { - "name": "vagrant", "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "id": "S-1-5-18", + "name": "vagrant" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "11", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "10", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.214Z", + "destination": { + "ip": "89.160.20.156", + "port": 443 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 443, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 1139, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "https", "community_id": "1:FaLCJ8g6qTBdQh1Rvg2/ru25R6M=", + "direction": "egress", + "protocol": "https", "transport": "tcp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.214Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 }, "related": { - "user": [ - "vagrant" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803660267Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e11\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.214\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT-2012-R2\\vagrant\u003c/Data\u003e\u003cData Name='Protocol'\u003etcp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e1139\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e443\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ehttps\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "vagrant" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1139 + }, "user": { - "name": "vagrant", "domain": "VAGRANT-2012-R2", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "vagrant" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "124", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "11", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.int-x3.letsencrypt.org", - "subdomain": "ocsp.int-x3", - "registered_domain": "letsencrypt.org", - "top_level_domain": "org" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.468Z", + "dns": { "answers": [ { "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net", @@ -7940,17 +7826,46 @@ "type": "A" } ], + "question": { + "name": "ocsp.int-x3.letsencrypt.org", + "registered_domain": "letsencrypt.org", + "subdomain": "ocsp.int-x3", + "top_level_domain": "org" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.468Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -7962,67 +7877,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803660871Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802753800Z'/\u003e\u003cEventRecordID\u003e124\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.468\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.int-x3.letsencrypt.org\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "125", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "124", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.pki.goog", - "subdomain": "ocsp", - "registered_domain": "pki.goog", - "top_level_domain": "goog" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.581Z", + "dns": { "answers": [ { "data": "pki-goog.l.google.com", @@ -8069,6 +7954,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.pki.goog", + "registered_domain": "pki.goog", + "subdomain": "ocsp", + "top_level_domain": "goog" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -8082,12 +7973,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:03.802Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.581Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -8107,146 +8021,115 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803661238Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:03.802768300Z'/\u003e\u003cEventRecordID\u003e125\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.581\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.pki.goog\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pki-goog.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:03.802Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "12", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "125", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "10.0.2.255", + "port": 137 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 137, - "ip": "10.0.2.255" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "netbios-ns", "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", + "direction": "egress", + "protocol": "netbios-ns", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.250Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", "10.0.2.255" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803661622Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e12\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "SYSTEM" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "126", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "12", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "googleads4.g.doubleclick.net", - "subdomain": "googleads4.g", - "registered_domain": "doubleclick.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.872Z", + "dns": { "answers": [ { "data": "pagead.l.doubleclick.net", @@ -8257,16 +8140,45 @@ "type": "A" } ], + "question": { + "name": "googleads4.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads4.g", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.872Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -8277,153 +8189,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803662007Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029828800Z'/\u003e\u003cEventRecordID\u003e126\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.872\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egoogleads4.g.doubleclick.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "13", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "126", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "destination": { - "port": 137, + "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "port": 137 }, - "source": { - "port": 137, - "ip": "10.0.2.255" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", - "transport": "udp", - "type": "ipv4", - "direction": "ingress" - }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "10.0.2.255", - "10.0.2.15" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803662492Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e13\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.255\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", + "direction": "ingress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.255", + "10.0.2.15" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "10.0.2.255", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "127", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "13", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "images.taboola.com", - "subdomain": "images", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.889Z", + "dns": { "answers": [ { "data": "f2.taboola.map.fastly.net", @@ -8446,6 +8327,12 @@ "type": "A" } ], + "question": { + "name": "images.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "images", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -8453,12 +8340,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.889Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -8469,779 +8379,740 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803662824Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029851300Z'/\u003e\u003cEventRecordID\u003e127\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.889\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimages.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "14", - "process": { - "pid": 4860, + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "127", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 5355, - "ip": "ff02:0:0:0:0:0:1:3" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 55542, - "ip": "fe80:0:0:0:e488:b85c:5262:ff86", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "llmnr", "community_id": "1:4DSgubObvMEI9IKNWPDqltrux+k=", + "direction": "egress", + "protocol": "llmnr", "transport": "udp", - "type": "ipv6", - "direction": "egress" + "type": "ipv6" }, - "@timestamp": "2019-03-18T16:57:48.250Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, "related": { - "user": [ - "NETWORK SERVICE" - ], "ip": [ "fe80:0:0:0:e488:b85c:5262:ff86", "ff02:0:0:0:0:0:1:3" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803663152Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e14\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:e488:b85c:5262:ff86\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "fe80:0:0:0:e488:b85c:5262:ff86", + "port": 55542 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "15", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "14", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", "destination": { - "port": 5355, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "source": { - "port": 55542, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "network": { - "protocol": "llmnr", - "community_id": "1:zjVE29ipqvMTvzEUbTYQ6tGBM08=", - "transport": "udp", - "type": "ipv6", - "direction": "egress" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 5355 }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "NETWORK SERVICE" - ], - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803663545Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e15\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55542\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:zjVE29ipqvMTvzEUbTYQ6tGBM08=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 55542 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "16", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "15", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", "destination": { - "port": 137, - "ip": "89.160.20.156" - }, - "source": { - "port": 137, - "ip": "89.160.20.156" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", - "transport": "udp", - "type": "ipv4", - "direction": "egress" + "ip": "89.160.20.156", + "port": 137 }, - "@timestamp": "2019-03-18T16:57:48.250Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803664077Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e16\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.250\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, "process": { "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "89.160.20.156", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "17", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "16", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", "destination": { - "port": 137, - "ip": "89.160.20.156" - }, - "source": { - "port": 137, - "ip": "89.160.20.156" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", - "transport": "udp", - "type": "ipv4", - "direction": "ingress" + "ip": "89.160.20.156", + "port": 137 }, - "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803664590Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e17\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:fbQ9BbXiy01VWluiIQp2GM9FUAU=", + "direction": "ingress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "89.160.20.156" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "89.160.20.156", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "18", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "17", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 5355, - "ip": "ff02:0:0:0:0:0:1:3" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 55717, - "ip": "fe80:0:0:0:616f:32fa:b04f:b419" + "log": { + "level": "information" }, "network": { - "protocol": "llmnr", "community_id": "1:Zt/ImHlMNf4MciHXlRDkivgw2jY=", + "direction": "egress", + "protocol": "llmnr", "transport": "udp", - "type": "ipv6", - "direction": "egress" + "type": "ipv6" }, - "@timestamp": "2019-03-18T16:57:48.251Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 }, "related": { - "user": [ - "NETWORK SERVICE" - ], "ip": [ "fe80:0:0:0:616f:32fa:b04f:b419", "ff02:0:0:0:0:0:1:3" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803665093Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e18\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003efe80:0:0:0:616f:32fa:b04f:b419\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003eff02:0:0:0:0:0:1:3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "NETWORK SERVICE" ] }, + "source": { + "ip": "fe80:0:0:0:616f:32fa:b04f:b419", + "port": 55717 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 924, - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "19", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "18", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", "destination": { - "port": 5355, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 5355 }, - "source": { - "port": 55717, - "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - }, - "network": { - "protocol": "llmnr", - "community_id": "1:CbJTXAoYGQFCeKHghMVMZBaSXX0=", - "transport": "udp", - "type": "ipv6", - "direction": "egress" - }, - "@timestamp": "2019-03-18T16:57:48.251Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "NETWORK SERVICE" - ], - "ip": [ - "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803665604Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e19\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.251\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-0bad-5c8c-0000-0010dfbc0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e924\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\NETWORK SERVICE\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='SourceHostname'\u003e\u003c/Data\u003e\u003cData Name='SourcePort'\u003e55717\u003c/Data\u003e\u003cData Name='SourcePortName'\u003e\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003etrue\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e5355\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003ellmnr\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:CbJTXAoYGQFCeKHghMVMZBaSXX0=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6", + "port": 55717 + }, "user": { - "name": "NETWORK SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "id": "S-1-5-18", + "name": "NETWORK SERVICE" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "20", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "19", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.264Z", "destination": { - "port": 137, - "ip": "89.160.20.156" - }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", - "transport": "udp", - "type": "ipv4", - "direction": "egress" + "ip": "89.160.20.156", + "port": 137 }, - "@timestamp": "2019-03-18T16:57:48.264Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "10.0.2.15", - "89.160.20.156" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T05:19:53.803665998Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.264\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" - }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "21", - "process": { - "pid": 4860, - "thread": { - "id": 4492 - } - }, - "event_id": "3", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } + "host": { + "name": "vagrant-2012-r2" }, "log": { "level": "information" }, - "destination": { - "port": 137, - "ip": "10.0.2.3" - }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, "network": { + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", + "direction": "egress", "protocol": "netbios-ns", - "community_id": "1:okFVyky/zOY2Q0BATy37YsbiveA=", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:48.276Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", - "10.0.2.3" + "89.160.20.156" + ], + "user": [ + "SYSTEM" ] }, - "host": { - "name": "vagrant-2012-r2" + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "20", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.276Z", + "destination": { + "ip": "10.0.2.3", + "port": 137 + }, + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T05:19:53.803666372Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:49.340Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:49.340Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:49.340580700Z'/\u003e\u003cEventRecordID\u003e21\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:48.276\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e10.0.2.3\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:okFVyky/zOY2Q0BATy37YsbiveA=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, "process": { "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "22", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4492 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "21", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.213Z", + "destination": { + "ip": "89.160.20.156", + "port": 137 }, - "log": { - "level": "information" + "ecs": { + "version": "8.0.0" }, - "destination": { - "port": 137, - "ip": "89.160.20.156" + "event": { + "category": [ + "network" + ], + "code": "3", + "created": "2019-03-18T16:57:50.357Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" + "log": { + "level": "information" }, "network": { - "protocol": "netbios-ns", "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", + "direction": "egress", + "protocol": "netbios-ns", "transport": "udp", - "type": "ipv4", - "direction": "egress" + "type": "ipv4" }, - "@timestamp": "2019-03-18T16:57:49.213Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 }, "related": { - "user": [ - "SYSTEM" - ], "ip": [ "10.0.2.15", "89.160.20.156" - ] - }, - "event": { - "ingested": "2022-01-12T05:19:53.803666771Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e22\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.213\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:50.357Z", - "category": [ - "network" ], - "type": [ - "start", - "connection", - "protocol" + "user": [ + "SYSTEM" ] }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "128", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4492 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "22", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "api-s2s.taboola.com", - "subdomain": "api-s2s", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.890Z", + "dns": { "answers": [ { "data": "f2.taboola.map.fastly.net", @@ -9264,6 +9135,12 @@ "type": "A" } ], + "question": { + "name": "api-s2s.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "api-s2s", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -9271,83 +9148,76 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.890Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "f2.taboola.map.fastly.net", - "api-s2s.taboola.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803667096Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029861900Z'/\u003e\u003cEventRecordID\u003e128\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.890\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eapi-s2s.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "f2.taboola.map.fastly.net", + "api-s2s.taboola.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "129", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "128", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "x.bidswitch.net", - "subdomain": "x", - "registered_domain": "bidswitch.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.892Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -9358,87 +9228,86 @@ "type": "A" } ], + "question": { + "name": "x.bidswitch.net", + "registered_domain": "bidswitch.net", + "subdomain": "x", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.892Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "x.bidswitch.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803667451Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029870000Z'/\u003e\u003cEventRecordID\u003e129\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.892\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.bidswitch.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "x.bidswitch.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "130", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "129", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.adsafeprotected.com", - "subdomain": "pixel", - "registered_domain": "adsafeprotected.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.894Z", + "dns": { "answers": [ { "data": "anycast.pixel.adsafeprotected.com", @@ -9485,6 +9354,12 @@ "type": "A" } ], + "question": { + "name": "pixel.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -9498,12 +9373,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.894Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9523,66 +9421,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803667778Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029880600Z'/\u003e\u003cEventRecordID\u003e130\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.pixel.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "131", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "130", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ml314.com", - "top_level_domain": "com", - "registered_domain": "ml314.com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.894Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -9633,6 +9502,11 @@ "type": "A" } ], + "question": { + "name": "ml314.com", + "registered_domain": "ml314.com", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -9648,91 +9522,84 @@ "192.168.94.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:03.894Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ml314.com" - ], - "ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30", - "2001:500:856e::30", - "192.168.94.30" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803668193Z", + "category": [ + "network" + ], "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029890100Z'/\u003e\u003cEventRecordID\u003e131\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.894\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eml314.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ml314.com" + ], + "ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", + "192.168.14.30", + "2001:503:231d::2:30", + "192.168.92.30", + "2001:503:83eb::30", + "192.168.80.30", + "2001:500:856e::30", + "192.168.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "132", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "131", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "aa.agkn.com", - "subdomain": "aa", - "registered_domain": "agkn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.902Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -9783,6 +9650,12 @@ "type": "AAAA" } ], + "question": { + "name": "aa.agkn.com", + "registered_domain": "agkn.com", + "subdomain": "aa", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -9798,12 +9671,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.902Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9823,67 +9719,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803668569Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029900000Z'/\u003e\u003cEventRecordID\u003e132\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.902\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eaa.agkn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "133", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "132", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "s0.2mdn.net", - "subdomain": "s0", - "registered_domain": "2mdn.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.911Z", + "dns": { "answers": [ { "data": "s0-2mdn-net.l.google.com", @@ -9930,6 +9796,12 @@ "type": "A" } ], + "question": { + "name": "s0.2mdn.net", + "registered_domain": "2mdn.net", + "subdomain": "s0", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -9943,12 +9815,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.911Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -9968,67 +9863,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803668957Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029909900Z'/\u003e\u003cEventRecordID\u003e133\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es0.2mdn.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 s0-2mdn-net.l.google.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "134", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "133", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "b.scorecardresearch.com", - "subdomain": "b", - "registered_domain": "scorecardresearch.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.911Z", + "dns": { "answers": [ { "data": "b.scorecardresearch.com.edgesuite.net", @@ -10047,17 +9912,46 @@ "type": "A" } ], + "question": { + "name": "b.scorecardresearch.com", + "registered_domain": "scorecardresearch.com", + "subdomain": "b", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.029Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.911Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10069,67 +9963,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803669329Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.029920400Z'/\u003e\u003cEventRecordID\u003e134\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb.scorecardresearch.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.029Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "135", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "134", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "edw.edmunds.com", - "subdomain": "edw", - "registered_domain": "edmunds.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.921Z", + "dns": { "answers": [ { "data": "f2.shared.global.fastly.net", @@ -10152,6 +10016,12 @@ "type": "A" } ], + "question": { + "name": "edw.edmunds.com", + "registered_domain": "edmunds.com", + "subdomain": "edw", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10159,12 +10029,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.548Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:03.921Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10175,67 +10068,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803669698Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.548958100Z'/\u003e\u003cEventRecordID\u003e135\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:03.921\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eedw.edmunds.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.548Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "136", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "135", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.digicert.com", - "subdomain": "ocsp", - "registered_domain": "digicert.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.101Z", + "dns": { "answers": [ { "data": "cs9.wac.phicdn.net", @@ -10246,16 +10109,45 @@ "type": "A" } ], + "question": { + "name": "ocsp.digicert.com", + "registered_domain": "digicert.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.101Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10266,67 +10158,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803670149Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692712500Z'/\u003e\u003cEventRecordID\u003e136\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.101\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.digicert.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "137", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "136", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pre-usermatch.targeting.unrulymedia.com", - "subdomain": "pre-usermatch.targeting", - "registered_domain": "unrulymedia.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.137Z", + "dns": { "answers": [ { "data": "usermatch.targeting.unrulymedia.com", @@ -10373,7 +10235,13 @@ "type": "AAAA" } ], - "resolved_ip": [ + "question": { + "name": "pre-usermatch.targeting.unrulymedia.com", + "registered_domain": "unrulymedia.com", + "subdomain": "pre-usermatch.targeting", + "top_level_domain": "com" + }, + "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156", @@ -10386,12 +10254,35 @@ "2001:503:83eb::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.137Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10408,67 +10299,37 @@ "2001:503:83eb::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803670550Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692750200Z'/\u003e\u003cEventRecordID\u003e137\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.137\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epre-usermatch.targeting.unrulymedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 usermatch.targeting.unrulymedia.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "138", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "137", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "farm.plista.com", - "subdomain": "farm", - "registered_domain": "plista.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.141Z", + "dns": { "answers": [ { "data": "farm-hetzner.plista.com", @@ -10523,6 +10384,12 @@ "type": "A" } ], + "question": { + "name": "farm.plista.com", + "registered_domain": "plista.com", + "subdomain": "farm", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10538,12 +10405,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.141Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10561,67 +10451,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803670978Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692762900Z'/\u003e\u003cEventRecordID\u003e138\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.141\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003efarm.plista.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 farm-hetzner.plista.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "139", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "138", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "beacon.krxd.net", - "subdomain": "beacon", - "registered_domain": "krxd.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.168Z", + "dns": { "answers": [ { "data": "beacon-n-ash.lb.krxd.net", @@ -10668,6 +10528,12 @@ "type": "A" } ], + "question": { + "name": "beacon.krxd.net", + "registered_domain": "krxd.net", + "subdomain": "beacon", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -10680,12 +10546,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.168Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -10698,611 +10587,572 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803671321Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692780500Z'/\u003e\u003cEventRecordID\u003e139\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.168\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ebeacon.krxd.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", - "pid": 4, - "executable": "System" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "23", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 2828, "thread": { - "id": 4492 + "id": 1684 } }, - "event_id": "3", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "139", "user": { "identifier": "S-1-5-18" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.218Z", "destination": { - "port": 137, - "ip": "89.160.20.156" + "ip": "89.160.20.156", + "port": 137 }, - "source": { - "port": 137, - "ip": "10.0.2.15", - "domain": "vagrant-2012-r2.local.crowbird.com" - }, - "network": { - "protocol": "netbios-ns", - "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", - "transport": "udp", - "type": "ipv4", - "direction": "egress" - }, - "@timestamp": "2019-03-18T16:57:49.218Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" - ], - "ip": [ - "10.0.2.15", - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803671742Z", - "code": "3", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:50.357Z", "category": [ "network" ], + "code": "3", + "created": "2019-03-18T16:57:50.357Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e3\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e3\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:50.357238700Z'/\u003e\u003cEventRecordID\u003e23\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4492'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:49.218\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-6e19-5c8c-0000-0010eb030000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4\u003c/Data\u003e\u003cData Name='Image'\u003eSystem\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Protocol'\u003eudp\u003c/Data\u003e\u003cData Name='Initiated'\u003etrue\u003c/Data\u003e\u003cData Name='SourceIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='SourceIp'\u003e10.0.2.15\u003c/Data\u003e\u003cData Name='SourceHostname'\u003evagrant-2012-r2.local.crowbird.com\u003c/Data\u003e\u003cData Name='SourcePort'\u003e137\u003c/Data\u003e\u003cData Name='SourcePortName'\u003enetbios-ns\u003c/Data\u003e\u003cData Name='DestinationIsIpv6'\u003efalse\u003c/Data\u003e\u003cData Name='DestinationIp'\u003e89.160.20.156\u003c/Data\u003e\u003cData Name='DestinationHostname'\u003e\u003c/Data\u003e\u003cData Name='DestinationPort'\u003e137\u003c/Data\u003e\u003cData Name='DestinationPortName'\u003enetbios-ns\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "start", "connection", "protocol" ] }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:W+rKY9g2gw/4oKxs1Chg32lzBig=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "89.160.20.156" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 4832, - "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-18T16:57:52.350Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "24", + "event_id": "3", + "opcode": "Info", "process": { "pid": 4860, "thread": { - "id": 4516 + "id": 4492 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "23", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.350Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803672127Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.354Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:52.354Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.354274600Z'/\u003e\u003cEventRecordID\u003e24\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.350\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccc6-5c8f-0000-001005082900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4832\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { + "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 3208, - "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 4832 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.364Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "25", + "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "24", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.364Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803672648Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.364Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:52.364Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.364042800Z'/\u003e\u003cEventRecordID\u003e25\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.364\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-cccc-5c8f-0000-0010e8272900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3208\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { + "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 3208 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.387Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "26", + "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:04.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "25", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.387Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803673194Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.402Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.402Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.402119100Z'/\u003e\u003cEventRecordID\u003e26\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.387\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" + }, + "log": { + "level": "information" + }, "process": { - "name": "chrome.exe", - "pid": 1600, "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.417Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "27", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:04.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "26", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data" - }, + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803673517Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.417Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.417Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e27\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:04.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" + }, + "log": { + "level": "information" + }, "process": { - "name": "chrome.exe", - "pid": 1600, "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 }, - "@timestamp": "2019-03-18T16:57:52.417Z", - "winlog": { + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "28", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:05.028", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "27", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" - }, + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803673936Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.417Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.417Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e28\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.028\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.402\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" + }, + "log": { + "level": "information" + }, "process": { - "name": "chrome.exe", - "pid": 1600, "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.417Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "29", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.028", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:51:54.980", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "28", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default" - }, + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803674428Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.417Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.417Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.417733000Z'/\u003e\u003cEventRecordID\u003e29\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:51:54.980\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" + }, + "log": { + "level": "information" }, "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 2680, - "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.433Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "30", + "event_data": { + "CreationUtcTime": "2019-03-18 16:51:54.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "5", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "29", "user": { "identifier": "S-1-5-18" - } + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803675159Z", - "code": "5", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.433Z", "category": [ "process" ], + "code": "5", + "created": "2019-03-18T16:57:52.433Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e5\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e5\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e30\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccab-5c8f-0000-001064eb2700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2680\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "end" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { + "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" + "pid": 2680 + }, + "user": { + "id": "S-1-5-18" }, - "@timestamp": "2019-03-18T16:57:52.433Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "record_id": "31", + "event_id": "5", + "opcode": "Info", "process": { "pid": 4860, "thread": { "id": 4516 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:08.496", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "30", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def" - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803675646Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.433Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.433Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e31\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:08.496\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def", + "extension": "tmp", + "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "140", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:08.496", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "31", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dsum.casalemedia.com", - "subdomain": "dsum", - "registered_domain": "casalemedia.com", - "top_level_domain": "com" }, + "version": 4 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.169Z", + "dns": { "answers": [ { "data": "dsum.casalemedia.com.edgekey.net", @@ -11317,16 +11167,45 @@ "type": "A" } ], + "question": { + "name": "dsum.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "dsum", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.169Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11338,67 +11217,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803676137Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692791400Z'/\u003e\u003cEventRecordID\u003e140\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edsum.casalemedia.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "141", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "140", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.mathtag.com", - "subdomain": "sync", - "registered_domain": "mathtag.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.169Z", + "dns": { "answers": [ { "data": "pixel-origin.mathtag.com", @@ -11449,6 +11298,12 @@ "type": "A" } ], + "question": { + "name": "sync.mathtag.com", + "registered_domain": "mathtag.com", + "subdomain": "sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -11463,12 +11318,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.169Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11486,67 +11364,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803676571Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692803100Z'/\u003e\u003cEventRecordID\u003e141\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.169\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.mathtag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-origin.mathtag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "142", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "141", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "status.rapidssl.com", - "subdomain": "status", - "registered_domain": "rapidssl.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.184Z", + "dns": { "answers": [ { "data": "ocsp.digicert.com", @@ -11561,16 +11409,45 @@ "type": "A" } ], + "question": { + "name": "status.rapidssl.com", + "registered_domain": "rapidssl.com", + "subdomain": "status", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.184Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11582,67 +11459,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803676961Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692814000Z'/\u003e\u003cEventRecordID\u003e142\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.rapidssl.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "143", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "142", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.extend.tv", - "subdomain": "sync", - "registered_domain": "extend.tv", - "top_level_domain": "tv" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.184Z", + "dns": { "answers": [ { "data": "cookiesyncing-1395500543.us-east-1.elb.amazonaws.com", @@ -11693,6 +11540,12 @@ "type": "A" } ], + "question": { + "name": "sync.extend.tv", + "registered_domain": "extend.tv", + "subdomain": "sync", + "top_level_domain": "tv" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -11707,12 +11560,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.184Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11726,67 +11602,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803677298Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692826300Z'/\u003e\u003cEventRecordID\u003e143\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.extend.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "144", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "143", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.comodoca.com", - "subdomain": "ocsp", - "registered_domain": "comodoca.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.185Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -11833,6 +11679,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.comodoca.com", + "registered_domain": "comodoca.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -11846,12 +11698,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.185Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11871,67 +11746,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803677612Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692837600Z'/\u003e\u003cEventRecordID\u003e144\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.185\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "145", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "144", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync-tm.everesttech.net", - "subdomain": "sync-tm", - "registered_domain": "everesttech.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.189Z", + "dns": { "answers": [ { "data": "sync.tubemogul.com", @@ -11962,6 +11807,12 @@ "type": "A" } ], + "question": { + "name": "sync-tm.everesttech.net", + "registered_domain": "everesttech.net", + "subdomain": "sync-tm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -11969,12 +11820,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.189Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -11987,67 +11861,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803677988Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692848900Z'/\u003e\u003cEventRecordID\u003e145\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.189\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync-tm.everesttech.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "146", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "145", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "idsync.rlcdn.com", - "subdomain": "idsync", - "registered_domain": "rlcdn.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.237Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -12098,6 +11942,12 @@ "type": "A" } ], + "question": { + "name": "idsync.rlcdn.com", + "registered_domain": "rlcdn.com", + "subdomain": "idsync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12113,12 +11963,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.237Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12139,67 +12012,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803678328Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692865100Z'/\u003e\u003cEventRecordID\u003e146\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.237\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eidsync.rlcdn.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "147", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "146", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cm.adform.net", - "subdomain": "cm", - "registered_domain": "adform.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.274Z", + "dns": { "answers": [ { "data": "track-eu.adformnet.akadns.net", @@ -12230,6 +12073,12 @@ "type": "A" } ], + "question": { + "name": "cm.adform.net", + "registered_domain": "adform.net", + "subdomain": "cm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -12239,12 +12088,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.274Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12255,153 +12127,122 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803678653Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692882700Z'/\u003e\u003cEventRecordID\u003e147\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.274\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecm.adform.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 track-eu.adformnet.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "148", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "147", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dm.hybrid.ai", - "subdomain": "dm", - "registered_domain": "hybrid.ai", - "top_level_domain": "ai" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.302Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "dm.hybrid.ai", + "registered_domain": "hybrid.ai", + "subdomain": "dm", + "top_level_domain": "ai" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.302Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "dm.hybrid.ai" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803679080Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692891900Z'/\u003e\u003cEventRecordID\u003e148\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.302\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edm.hybrid.ai\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dm.hybrid.ai" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "149", - "process": { + "event_id": "22", + "opcode": "Info", + "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "148", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static.adsafeprotected.com", - "subdomain": "static", - "registered_domain": "adsafeprotected.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.304Z", + "dns": { "answers": [ { "data": "anycast.static.adsafeprotected.com", @@ -12448,6 +12289,12 @@ "type": "A" } ], + "question": { + "name": "static.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "static", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12461,12 +12308,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.304Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12486,67 +12356,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803679452Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692904200Z'/\u003e\u003cEventRecordID\u003e149\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.304\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.static.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "150", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "149", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "trc.taboola.com", - "subdomain": "trc", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.322Z", + "dns": { "answers": [ { "data": "f2.taboola.map.fastly.net", @@ -12569,6 +12409,12 @@ "type": "A" } ], + "question": { + "name": "trc.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "trc", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -12576,12 +12422,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.322Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12592,152 +12461,121 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803679776Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692920100Z'/\u003e\u003cEventRecordID\u003e150\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etrc.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 f2.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "151", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "150", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pippio.com", - "top_level_domain": "com", - "registered_domain": "pippio.com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.379Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "pippio.com", + "registered_domain": "pippio.com", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.379Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "pippio.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803680184Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692935200Z'/\u003e\u003cEventRecordID\u003e151\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.379\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epippio.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pippio.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "152", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "151", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel-sync.sitescout.com", - "subdomain": "pixel-sync", - "registered_domain": "sitescout.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.482Z", + "dns": { "answers": [ { "data": "pixel-a.sitescout.com", @@ -12784,6 +12622,12 @@ "type": "A" } ], + "question": { + "name": "pixel-sync.sitescout.com", + "registered_domain": "sitescout.com", + "subdomain": "pixel-sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12797,12 +12641,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.692Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.482Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12822,67 +12689,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803680522Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.692997300Z'/\u003e\u003cEventRecordID\u003e152\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel-sync.sitescout.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pixel-a.sitescout.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.692Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "153", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "152", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "prod.y-medialink.com", - "subdomain": "prod", - "registered_domain": "y-medialink.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.502Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -12929,6 +12766,12 @@ "type": "AAAA" } ], + "question": { + "name": "prod.y-medialink.com", + "registered_domain": "y-medialink.com", + "subdomain": "prod", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -12943,12 +12786,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.502Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -12968,67 +12834,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803680841Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693010700Z'/\u003e\u003cEventRecordID\u003e153\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.502\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprod.y-medialink.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "154", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "153", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "jadserve.postrelease.com", - "subdomain": "jadserve", - "registered_domain": "postrelease.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.507Z", + "dns": { "answers": [ { "data": "jadserve.postrelease.com.akadns.net", @@ -13059,6 +12895,12 @@ "type": "A" } ], + "question": { + "name": "jadserve.postrelease.com", + "registered_domain": "postrelease.com", + "subdomain": "jadserve", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13068,83 +12910,76 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.507Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "jadserve.postrelease.com.akadns.net", - "jadserve.postrelease.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803681240Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693021600Z'/\u003e\u003cEventRecordID\u003e154\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.507\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ejadserve.postrelease.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 jadserve.postrelease.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "155", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } + "related": { + "hosts": [ + "jadserve.postrelease.com.akadns.net", + "jadserve.postrelease.com" + ], + "ip": [ + "89.160.20.156" + ] }, "sysmon": { "dns": { "status": "SUCCESS" } }, - "log": { - "level": "information" + "user": { + "id": "S-1-5-18" }, - "dns": { - "question": { - "name": "appnexus-partners.tremorhub.com", - "subdomain": "appnexus-partners", - "registered_domain": "tremorhub.com", - "top_level_domain": "com" + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "154", + "user": { + "identifier": "S-1-5-18" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.508Z", + "dns": { "answers": [ { "data": "partners-1732315393.us-east-1.elb.amazonaws.com", @@ -13191,6 +13026,12 @@ "type": "AAAA" } ], + "question": { + "name": "appnexus-partners.tremorhub.com", + "registered_domain": "tremorhub.com", + "subdomain": "appnexus-partners", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13204,12 +13045,35 @@ "2001:503:a83e::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.508Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13222,67 +13086,37 @@ "2001:503:a83e::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803681672Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693033600Z'/\u003e\u003cEventRecordID\u003e155\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.508\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eappnexus-partners.tremorhub.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "156", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "155", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "x.dlx.addthis.com", - "subdomain": "x.dlx", - "registered_domain": "addthis.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.531Z", + "dns": { "answers": [ { "data": "gtm13.nexac.com", @@ -13321,6 +13155,12 @@ "type": "A" } ], + "question": { + "name": "x.dlx.addthis.com", + "registered_domain": "addthis.com", + "subdomain": "x.dlx", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13331,12 +13171,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.531Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13351,67 +13214,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803682053Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693044900Z'/\u003e\u003cEventRecordID\u003e156\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.531\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ex.dlx.addthis.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "157", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "156", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dh.serving-sys.com", - "subdomain": "dh", - "registered_domain": "serving-sys.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.532Z", + "dns": { "answers": [ { "data": "haproxy-dmp.sizmdx.com", @@ -13450,6 +13283,12 @@ "type": "A" } ], + "question": { + "name": "dh.serving-sys.com", + "registered_domain": "serving-sys.com", + "subdomain": "dh", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13460,12 +13299,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.532Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13482,67 +13344,37 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803682433Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693057200Z'/\u003e\u003cEventRecordID\u003e157\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.532\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edh.serving-sys.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "158", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "157", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.sharethrough.com", - "subdomain": "match", - "registered_domain": "sharethrough.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.534Z", + "dns": { "answers": [ { "data": "match-us-east-1.sharethrough.com", @@ -13597,6 +13429,12 @@ "type": "AAAA" } ], + "question": { + "name": "match.sharethrough.com", + "registered_domain": "sharethrough.com", + "subdomain": "match", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -13612,12 +13450,35 @@ "2001:503:231d::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.693Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.534Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13632,67 +13493,37 @@ "2001:503:231d::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803682884Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.693070300Z'/\u003e\u003cEventRecordID\u003e158\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.534\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sharethrough.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 match-us-east-1.sharethrough.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.693Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "159", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "158", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tags.rd.linksynergy.com", - "subdomain": "tags.rd", - "registered_domain": "linksynergy.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.601Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -13739,6 +13570,12 @@ "type": "AAAA" } ], + "question": { + "name": "tags.rd.linksynergy.com", + "registered_domain": "linksynergy.com", + "subdomain": "tags.rd", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -13753,12 +13590,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.836Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.601Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -13778,67 +13638,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803683267Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836591400Z'/\u003e\u003cEventRecordID\u003e159\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.601\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.rd.linksynergy.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.836Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "160", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "159", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "rtb-csync.smartadserver.com", - "subdomain": "rtb-csync", - "registered_domain": "smartadserver.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.604Z", + "dns": { "answers": [ { "data": "2-01-275d-002d.cdx.cedexis.net", @@ -13881,6 +13711,12 @@ "type": "A" } ], + "question": { + "name": "rtb-csync.smartadserver.com", + "registered_domain": "smartadserver.com", + "subdomain": "rtb-csync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -13892,91 +13728,84 @@ "192.168.80.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:04.604Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "2-01-275d-002d.cdx.cedexis.net", - "rtb-csync-tmk.smartadserver.com", - "rtb-csync.smartadserver.com" - ], - "ip": [ - "89.160.20.156", - "192.168.6.30", - "2001:503:a83e::2:30", - "192.168.14.30", - "2001:503:231d::2:30", - "192.168.92.30", - "2001:503:83eb::30", - "192.168.80.30" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803683769Z", + "category": [ + "network" + ], "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", "created": "2019-07-18T03:34:04.836Z", - "category": [ - "network" - ], + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836608300Z'/\u003e\u003cEventRecordID\u003e160\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.604\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb-csync.smartadserver.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "2-01-275d-002d.cdx.cedexis.net", + "rtb-csync-tmk.smartadserver.com", + "rtb-csync.smartadserver.com" + ], + "ip": [ + "89.160.20.156", + "192.168.6.30", + "2001:503:a83e::2:30", + "192.168.14.30", + "2001:503:231d::2:30", + "192.168.92.30", + "2001:503:83eb::30", + "192.168.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "161", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "160", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sc.iasds01.com", - "subdomain": "sc", - "registered_domain": "iasds01.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.621Z", + "dns": { "answers": [ { "data": "anycast.sc.iasds01.com", @@ -14023,6 +13852,12 @@ "type": "A" } ], + "question": { + "name": "sc.iasds01.com", + "registered_domain": "iasds01.com", + "subdomain": "sc", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -14036,12 +13871,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:04.836Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.621Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14061,67 +13919,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803684212Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:04.836626600Z'/\u003e\u003cEventRecordID\u003e161\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.621\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esc.iasds01.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 anycast.sc.iasds01.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:04.836Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "162", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "161", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dt.adsafeprotected.com", - "subdomain": "dt", - "registered_domain": "adsafeprotected.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.822Z", + "dns": { "answers": [ { "data": "sjedt.adsafeprotected.com", @@ -14168,6 +13996,12 @@ "type": "A" } ], + "question": { + "name": "dt.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "dt", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -14181,12 +14015,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:05.034Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.822Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14206,67 +14063,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803684647Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034646400Z'/\u003e\u003cEventRecordID\u003e162\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edt.adsafeprotected.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sjedt.adsafeprotected.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:05.034Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "163", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "162", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "status.thawte.com", - "subdomain": "status", - "registered_domain": "thawte.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.822Z", + "dns": { "answers": [ { "data": "ocsp.digicert.com", @@ -14281,16 +14108,45 @@ "type": "A" } ], + "question": { + "name": "status.thawte.com", + "registered_domain": "thawte.com", + "subdomain": "status", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:05.034Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.822Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14302,74 +14158,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803685122Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034657300Z'/\u003e\u003cEventRecordID\u003e163\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.822\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.thawte.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:05.034Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "164", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "163", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.860Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "ads.stickyadstv.com", - "subdomain": "ads", - "registered_domain": "stickyadstv.com", - "top_level_domain": "com" - }, "answers": [ { "data": "ip1.ads.stickyadstv.com.akadns.net", @@ -14416,6 +14242,12 @@ "type": "A" } ], + "question": { + "name": "ads.stickyadstv.com", + "registered_domain": "stickyadstv.com", + "subdomain": "ads", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -14427,12 +14259,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:05.034Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.860Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14445,67 +14300,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803685648Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:05.034798300Z'/\u003e\u003cEventRecordID\u003e164\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.860\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.stickyadstv.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:05.034Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "165", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "164", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "hbx.media.net", - "subdomain": "hbx", - "registered_domain": "media.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.904Z", + "dns": { "answers": [ { "data": "hbx.media.net.edgekey.net", @@ -14520,16 +14345,45 @@ "type": "A" } ], + "question": { + "name": "hbx.media.net", + "registered_domain": "media.net", + "subdomain": "hbx", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:06.051Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.904Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14541,67 +14395,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803686122Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051692700Z'/\u003e\u003cEventRecordID\u003e165\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.904\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ehbx.media.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:06.051Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "166", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "165", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.taboola.com", - "subdomain": "match", - "registered_domain": "taboola.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.911Z", + "dns": { "answers": [ { "data": "trc.taboola.map.fastly.net", @@ -14624,6 +14448,12 @@ "type": "A" } ], + "question": { + "name": "match.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "match", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -14631,12 +14461,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:06.051Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:04.911Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14647,67 +14500,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803686508Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051710000Z'/\u003e\u003cEventRecordID\u003e166\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:04.911\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.taboola.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 trc.taboola.map.fastly.net;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:06.051Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "167", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "166", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "img-s-msn-com.akamaized.net", - "subdomain": "img-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.056Z", + "dns": { "answers": [ { "data": "a1834.dspg2.akamai.net", @@ -14722,17 +14545,46 @@ "type": "A" } ], + "question": { + "name": "img-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "img-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:06.051Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.056Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14743,67 +14595,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803686893Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:06.051902900Z'/\u003e\u003cEventRecordID\u003e167\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.056\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eimg-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1834.dspg2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:06.051Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "168", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "167", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static-entertainment-eus-s-msn-com.akamaized.net", - "subdomain": "static-entertainment-eus-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.064Z", + "dns": { "answers": [ { "data": "a1505.g2.akamai.net", @@ -14818,17 +14640,46 @@ "type": "A" } ], + "question": { + "name": "static-entertainment-eus-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-entertainment-eus-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.064Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14839,67 +14690,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803687284Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049319700Z'/\u003e\u003cEventRecordID\u003e168\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.064\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "169", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "168", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "radarmaps.weather.microsoft.com", - "subdomain": "radarmaps.weather", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.178Z", + "dns": { "answers": [ { "data": "radarmaps.weather.microsoft.com.edgekey.net", @@ -14914,16 +14735,45 @@ "type": "A" } ], + "question": { + "name": "radarmaps.weather.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "radarmaps.weather", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.178Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -14935,67 +14785,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803687604Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049334900Z'/\u003e\u003cEventRecordID\u003e169\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.178\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eradarmaps.weather.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "170", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "169", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "static-entertainment-eus-s-msn-com.akamaized.net", - "subdomain": "static-entertainment-eus-s-msn-com", - "registered_domain": "akamaized.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.455Z", + "dns": { "answers": [ { "data": "a1505.g2.akamai.net", @@ -15010,17 +14830,46 @@ "type": "A" } ], + "question": { + "name": "static-entertainment-eus-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-entertainment-eus-s-msn-com", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.455Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -15031,67 +14880,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803688104Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049349000Z'/\u003e\u003cEventRecordID\u003e170\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.455\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003estatic-entertainment-eus-s-msn-com.akamaized.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a1505.g2.akamai.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "171", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "170", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tag.sp.advertising.com", - "subdomain": "tag.sp", - "registered_domain": "advertising.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.494Z", + "dns": { "answers": [ { "data": "cs747173190.wac.omegacdn.net", @@ -15102,16 +14921,45 @@ "type": "A" } ], + "question": { + "name": "tag.sp.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "tag.sp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.494Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15122,67 +14970,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803688586Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049364200Z'/\u003e\u003cEventRecordID\u003e171\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.494\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etag.sp.advertising.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs747173190.wac.omegacdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "172", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "171", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.bing.com", - "subdomain": "www", - "registered_domain": "bing.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.567Z", + "dns": { "answers": [ { "data": "a-0001.a-afdentry.net.trafficmanager.net", @@ -15201,17 +15019,46 @@ "type": "A" } ], + "question": { + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:07.049Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:06.567Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15223,67 +15070,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803689062Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:07.049377200Z'/\u003e\u003cEventRecordID\u003e172\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:06.567\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.bing.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:07.049Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "173", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "172", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "cdn.doubleverify.com", - "subdomain": "cdn", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.228Z", + "dns": { "answers": [ { "data": "akacdn.doubleverify.com.edgekey.net", @@ -15298,16 +15115,45 @@ "type": "A" } ], + "question": { + "name": "cdn.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "cdn", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.228Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15319,74 +15165,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803689400Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054270200Z'/\u003e\u003cEventRecordID\u003e173\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.228\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "174", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "173", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.357Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "cdn3.doubleverify.com", - "subdomain": "cdn3", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" - }, "answers": [ { "data": "cdn.doubleverify.com", @@ -15405,89 +15221,88 @@ "type": "A" } ], + "question": { + "name": "cdn3.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "cdn3", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:07.357Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "cdn.doubleverify.com", - "akacdn.doubleverify.com.edgekey.net", - "e17513.d.akamaiedge.net", - "cdn3.doubleverify.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803689798Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054302600Z'/\u003e\u003cEventRecordID\u003e174\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.357\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdn3.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "175", - "process": { - "pid": 2828, + "related": { + "hosts": [ + "cdn.doubleverify.com", + "akacdn.doubleverify.com.edgekey.net", + "e17513.d.akamaiedge.net", + "cdn3.doubleverify.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "174", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "rtb0.doubleverify.com", - "subdomain": "rtb0", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.721Z", + "dns": { "answers": [ { "data": "bs-geo.dvgtm.akadns.net", @@ -15502,16 +15317,45 @@ "type": "A" } ], + "question": { + "name": "rtb0.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "rtb0", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.721Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15523,67 +15367,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803690128Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054327300Z'/\u003e\u003cEventRecordID\u003e175\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.721\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ertb0.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "176", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "175", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dev.virtualearth.net", - "subdomain": "dev", - "registered_domain": "virtualearth.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.774Z", + "dns": { "answers": [ { "data": "platform.maps.glbdns2.microsoft.com", @@ -15598,16 +15412,45 @@ "type": "A" } ], + "question": { + "name": "dev.virtualearth.net", + "registered_domain": "virtualearth.net", + "subdomain": "dev", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.774Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15619,67 +15462,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803690466Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054344600Z'/\u003e\u003cEventRecordID\u003e176\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.774\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edev.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "177", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "176", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "t.ssl.ak.dynamic.tiles.virtualearth.net", - "subdomain": "t.ssl.ak.dynamic.tiles", - "registered_domain": "virtualearth.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.847Z", + "dns": { "answers": [ { "data": "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", @@ -15694,88 +15507,87 @@ "type": "A" } ], + "question": { + "name": "t.ssl.ak.dynamic.tiles.virtualearth.net", + "registered_domain": "virtualearth.net", + "subdomain": "t.ssl.ak.dynamic.tiles", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:07.847Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", - "e7622.g.akamaiedge.net", - "t.ssl.ak.dynamic.tiles.virtualearth.net" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803690900Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054356200Z'/\u003e\u003cEventRecordID\u003e177\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.847\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.ssl.ak.dynamic.tiles.virtualearth.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", + "e7622.g.akamaiedge.net", + "t.ssl.ak.dynamic.tiles.virtualearth.net" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "178", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "177", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "rp.gwallet.com", - "subdomain": "rp", - "registered_domain": "gwallet.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.943Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -15826,6 +15638,12 @@ "type": "A" } ], + "question": { + "name": "rp.gwallet.com", + "registered_domain": "gwallet.com", + "subdomain": "rp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -15841,12 +15659,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.943Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15867,67 +15708,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803691402Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054411600Z'/\u003e\u003cEventRecordID\u003e178\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.943\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erp.gwallet.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "179", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "178", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ads.yahoo.com", - "subdomain": "ads", - "registered_domain": "yahoo.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.945Z", + "dns": { "answers": [ { "data": "fo-fd-world-new.yax.gysm.yahoodns.net", @@ -15950,6 +15761,12 @@ "type": "A" } ], + "question": { + "name": "ads.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "ads", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "98.138.49.44", @@ -15957,12 +15774,35 @@ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.945Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -15974,74 +15814,44 @@ "98.138.49.44" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803692149Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054422900Z'/\u003e\u003cEventRecordID\u003e179\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.945\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eads.yahoo.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:89.160.20.156;::ffff:98.138.49.44;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "180", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "179", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.954Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "um.simpli.fi", - "subdomain": "um", - "registered_domain": "simpli.fi", - "top_level_domain": "fi" - }, "answers": [ { "data": "89.160.20.156", @@ -16056,88 +15866,87 @@ "type": "A" } ], + "question": { + "name": "um.simpli.fi", + "registered_domain": "simpli.fi", + "subdomain": "um", + "top_level_domain": "fi" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:07.954Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "um.simpli.fi" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803692597Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054432800Z'/\u003e\u003cEventRecordID\u003e180\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.954\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eum.simpli.fi\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "um.simpli.fi" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "181", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "180", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "mpp.vindicosuite.com", - "subdomain": "mpp", - "registered_domain": "vindicosuite.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.955Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -16184,6 +15993,12 @@ "type": "AAAA" } ], + "question": { + "name": "mpp.vindicosuite.com", + "registered_domain": "vindicosuite.com", + "subdomain": "mpp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -16198,12 +16013,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:07.955Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16223,153 +16061,122 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803692920Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054444800Z'/\u003e\u003cEventRecordID\u003e181\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003empp.vindicosuite.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "182", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "181", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.1rx.io", - "subdomain": "sync", - "registered_domain": "1rx.io", - "top_level_domain": "io" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.955Z", + "dns": { "answers": [ { "data": "89.160.20.156", "type": "A" } ], + "question": { + "name": "sync.1rx.io", + "registered_domain": "1rx.io", + "subdomain": "sync", + "top_level_domain": "io" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:07.955Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "sync.1rx.io" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803693342Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054454600Z'/\u003e\u003cEventRecordID\u003e182\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.955\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.1rx.io\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sync.1rx.io" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "183", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "182", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.teads.tv", - "subdomain": "sync", - "registered_domain": "teads.tv", - "top_level_domain": "tv" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.956Z", + "dns": { "answers": [ { "data": "sync.teads.tv.edgekey.net", @@ -16384,17 +16191,46 @@ "type": "A" } ], - "resolved_ip": [ - "89.160.20.156" - ] - }, - "network": { - "protocol": "dns" + "question": { + "name": "sync.teads.tv", + "registered_domain": "teads.tv", + "subdomain": "sync", + "top_level_domain": "tv" + }, + "resolved_ip": [ + "89.160.20.156" + ] }, - "@timestamp": "2019-07-18T03:34:07.956Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, "related": { "hosts": [ "sync.teads.tv.edgekey.net", @@ -16405,67 +16241,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803693830Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054464900Z'/\u003e\u003cEventRecordID\u003e183\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:07.956\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.teads.tv\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "184", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "183", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "s.thebrighttag.com", - "subdomain": "s", - "registered_domain": "thebrighttag.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.019Z", + "dns": { "answers": [ { "data": "td.thebrighttag.com", @@ -16516,6 +16322,12 @@ "type": "A" } ], + "question": { + "name": "s.thebrighttag.com", + "registered_domain": "thebrighttag.com", + "subdomain": "s", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -16530,12 +16342,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:08.054Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.019Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16553,67 +16388,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803694263Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:08.054482800Z'/\u003e\u003cEventRecordID\u003e184\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.019\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003es.thebrighttag.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.thebrighttag.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:08.054Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "186", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "184", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "t.a3cloud.net", - "subdomain": "t", - "registered_domain": "a3cloud.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.050Z", + "dns": { "answers": [ { "data": "d386jaag4hn9zl.cloudfront.net", @@ -16624,16 +16429,45 @@ "type": "A" } ], + "question": { + "name": "t.a3cloud.net", + "registered_domain": "a3cloud.net", + "subdomain": "t", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.050Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16644,67 +16478,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803694582Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053883400Z'/\u003e\u003cEventRecordID\u003e186\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.050\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003et.a3cloud.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 d386jaag4hn9zl.cloudfront.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "187", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "186", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tps618.doubleverify.com", - "subdomain": "tps618", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.070Z", + "dns": { "answers": [ { "data": "nycp-hlb.doubleverify.com", @@ -16719,16 +16523,45 @@ "type": "A" } ], + "question": { + "name": "tps618.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps618", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.070Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16740,67 +16573,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803694957Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053900700Z'/\u003e\u003cEventRecordID\u003e187\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.070\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps618.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "188", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "187", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "dpm.demdex.net", - "subdomain": "dpm", - "registered_domain": "demdex.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.090Z", + "dns": { "answers": [ { "data": "gslb-2.demdex.net", @@ -16851,6 +16654,12 @@ "type": "A" } ], + "question": { + "name": "dpm.demdex.net", + "registered_domain": "demdex.net", + "subdomain": "dpm", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -16863,12 +16672,35 @@ "192.168.6.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.090Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -16882,67 +16714,37 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803695285Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053914100Z'/\u003e\u003cEventRecordID\u003e188\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.090\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003edpm.demdex.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "189", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "188", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "secure.adnxs.com", - "subdomain": "secure", - "registered_domain": "adnxs.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.308Z", + "dns": { "answers": [ { "data": "g.geogslb.com", @@ -16997,6 +16799,12 @@ "type": "A" } ], + "question": { + "name": "secure.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "secure", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17011,12 +16819,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.308Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17031,67 +16862,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803695615Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053938800Z'/\u003e\u003cEventRecordID\u003e189\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.308\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esecure.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "190", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "189", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tps.doubleverify.com", - "subdomain": "tps", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.478Z", + "dns": { "answers": [ { "data": "tps-geo.dvgtm.akadns.net", @@ -17106,16 +16907,45 @@ "type": "A" } ], + "question": { + "name": "tps.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.053Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.478Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17127,67 +16957,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803695998Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.053949300Z'/\u003e\u003cEventRecordID\u003e190\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.478\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.053Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "191", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "190", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "i.liadm.com", - "subdomain": "i", - "registered_domain": "liadm.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.536Z", + "dns": { "answers": [ { "data": "idaas-production.us-east-1.elasticbeanstalk.com", @@ -17238,6 +17038,12 @@ "type": "A" } ], + "question": { + "name": "i.liadm.com", + "registered_domain": "liadm.com", + "subdomain": "i", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17252,12 +17058,35 @@ "192.168.14.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.536Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17271,67 +17100,37 @@ "192.168.14.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803696362Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067752300Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.536\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ei.liadm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "192", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "191", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.s3xified.com", - "subdomain": "pixel", - "registered_domain": "s3xified.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.544Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17382,6 +17181,12 @@ "type": "A" } ], + "question": { + "name": "pixel.s3xified.com", + "registered_domain": "s3xified.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -17397,12 +17202,35 @@ "192.168.51.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.544Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17423,67 +17251,37 @@ "192.168.51.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803696728Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067766000Z'/\u003e\u003cEventRecordID\u003e192\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.544\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.s3xified.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "193", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "192", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "router.infolinks.com", - "subdomain": "router", - "registered_domain": "infolinks.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.550Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17530,6 +17328,12 @@ "type": "A" } ], + "question": { + "name": "router.infolinks.com", + "registered_domain": "infolinks.com", + "subdomain": "router", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17544,12 +17348,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.550Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17568,67 +17395,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803697404Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067776600Z'/\u003e\u003cEventRecordID\u003e193\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003erouter.infolinks.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "194", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "193", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "grey.erne.co", - "subdomain": "grey", - "registered_domain": "erne.co", - "top_level_domain": "co" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.552Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17671,6 +17468,12 @@ "type": "A" } ], + "question": { + "name": "grey.erne.co", + "registered_domain": "erne.co", + "subdomain": "grey", + "top_level_domain": "co" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17684,82 +17487,75 @@ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.552Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "grey.erne.co" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803697793Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067787900Z'/\u003e\u003cEventRecordID\u003e194\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003egrey.erne.co\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "grey.erne.co" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "195", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "194", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.jivox.com", - "subdomain": "sync", - "registered_domain": "jivox.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.552Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -17810,6 +17606,12 @@ "type": "AAAA" } ], + "question": { + "name": "sync.jivox.com", + "registered_domain": "jivox.com", + "subdomain": "sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -17825,12 +17627,35 @@ "2001:502:1ca1::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.552Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -17850,67 +17675,37 @@ "2001:502:1ca1::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803698280Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067797800Z'/\u003e\u003cEventRecordID\u003e195\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.552\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.jivox.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "196", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "195", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "b1sync.zemanta.com", - "subdomain": "b1sync", - "registered_domain": "zemanta.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.594Z", + "dns": { "answers": [ { "data": "b1-lsw-use1.zemanta.com", @@ -18125,6 +17920,12 @@ "type": "AAAA" } ], + "question": { + "name": "b1sync.zemanta.com", + "registered_domain": "zemanta.com", + "subdomain": "b1sync", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18180,12 +17981,35 @@ "2001:502:7094::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.594Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18218,67 +18042,37 @@ "2001:502:7094::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803698674Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067819600Z'/\u003e\u003cEventRecordID\u003e196\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.594\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eb1sync.zemanta.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 b1-lsw-use1.zemanta.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;2001:502:1ca1::30;192.168.51.30;2001:503:d414::30;192.168.93.30;2001:503:eea3::30;192.168.112.30;2001:502:8cc::30;192.168.172.30;2001:503:39c1::30;192.168.79.30;2001:502:7094::30;192.5\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "197", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "196", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tg.socdm.com", - "subdomain": "tg", - "registered_domain": "socdm.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.619Z", + "dns": { "answers": [ { "data": "tg3.dr.socdm.com", @@ -18341,6 +18135,12 @@ "type": "AAAA" } ], + "question": { + "name": "tg.socdm.com", + "registered_domain": "socdm.com", + "subdomain": "tg", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18358,12 +18158,35 @@ "2001:503:a83e::2:30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.619Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18376,74 +18199,44 @@ "2001:503:a83e::2:30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803699124Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067835500Z'/\u003e\u003cEventRecordID\u003e197\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.619\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etg.socdm.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tg3.dr.socdm.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "198", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "197", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.620Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "prebid.adnxs.com", - "subdomain": "prebid", - "registered_domain": "adnxs.com", - "top_level_domain": "com" - }, "answers": [ { "data": "prebid.appnexusgslb.net", @@ -18454,87 +18247,86 @@ "type": "A" } ], + "question": { + "name": "prebid.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "prebid", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.620Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "prebid.appnexusgslb.net", - "prebid.adnxs.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803699592Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067845000Z'/\u003e\u003cEventRecordID\u003e198\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.620\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eprebid.adnxs.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 prebid.appnexusgslb.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "199", - "process": { + "related": { + "hosts": [ + "prebid.appnexusgslb.net", + "prebid.adnxs.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "198", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ul1.dvtps.com", - "subdomain": "ul1", - "registered_domain": "dvtps.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.811Z", + "dns": { "answers": [ { "data": "tps.doubleverify.com", @@ -18553,16 +18345,45 @@ "type": "A" } ], + "question": { + "name": "ul1.dvtps.com", + "registered_domain": "dvtps.com", + "subdomain": "ul1", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:08.811Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18575,141 +18396,110 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803700055Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067883500Z'/\u003e\u003cEventRecordID\u003e199\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.811\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "200", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "199", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.912Z", "dns": { "question": { "name": "ul1.dvtps.com", - "subdomain": "ul1", "registered_domain": "dvtps.com", + "subdomain": "ul1", "top_level_domain": "com" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:08.912Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ul1.dvtps.com" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803700390Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.067946300Z'/\u003e\u003cEventRecordID\u003e200\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:08.912\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eul1.dvtps.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9701\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ul1.dvtps.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "201", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "200", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tags.bluekai.com", - "subdomain": "tags", - "registered_domain": "bluekai.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.016Z", + "dns": { "answers": [ { "data": "tags.bluekai.com.edgekey.net", @@ -18724,88 +18514,87 @@ "type": "A" } ], + "question": { + "name": "tags.bluekai.com", + "registered_domain": "bluekai.com", + "subdomain": "tags", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:09.016Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "tags.bluekai.com.edgekey.net", - "e13541.x.akamaiedge.net", - "tags.bluekai.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803700730Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:09.068Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:09.068Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:09.068003400Z'/\u003e\u003cEventRecordID\u003e201\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.016\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etags.bluekai.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, - "winlog": { - "computer_name": "vagrant-2016", - "record_id": "202", - "process": { - "pid": 2828, - "thread": { - "id": 1684 - } - }, - "event_id": "22", - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, - "user": { - "identifier": "S-1-5-18" - } + "related": { + "hosts": [ + "tags.bluekai.com.edgekey.net", + "e13541.x.akamaiedge.net", + "tags.bluekai.com" + ], + "ip": [ + "89.160.20.156" + ] }, "sysmon": { "dns": { "status": "SUCCESS" } }, - "log": { - "level": "information" + "user": { + "id": "S-1-5-18" }, - "dns": { - "question": { - "name": "cdnjs.cloudflare.com", - "subdomain": "cdnjs", - "registered_domain": "cloudflare.com", - "top_level_domain": "com" + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "201", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.048Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -18856,6 +18645,12 @@ "type": "A" } ], + "question": { + "name": "cdnjs.cloudflare.com", + "registered_domain": "cloudflare.com", + "subdomain": "cdnjs", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -18871,12 +18666,35 @@ "192.168.80.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.048Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -18893,67 +18711,37 @@ "192.168.80.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803701130Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067467200Z'/\u003e\u003cEventRecordID\u003e202\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.048\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ecdnjs.cloudflare.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "203", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "202", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "pixel.onaudience.com", - "subdomain": "pixel", - "registered_domain": "onaudience.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.051Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -19004,6 +18792,12 @@ "type": "AAAA" } ], + "question": { + "name": "pixel.onaudience.com", + "registered_domain": "onaudience.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -19019,12 +18813,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.051Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19042,67 +18859,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803701523Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067488100Z'/\u003e\u003cEventRecordID\u003e203\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.051\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003epixel.onaudience.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "204", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "203", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "status.geotrust.com", - "subdomain": "status", - "registered_domain": "geotrust.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.054Z", + "dns": { "answers": [ { "data": "ocsp.digicert.com", @@ -19117,88 +18904,87 @@ "type": "A" } ], + "question": { + "name": "status.geotrust.com", + "registered_domain": "geotrust.com", + "subdomain": "status", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:09.054Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "ocsp.digicert.com", - "cs9.wac.phicdn.net", - "status.geotrust.com" - ], - "ip": [ - "89.160.20.156" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803701849Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067504600Z'/\u003e\u003cEventRecordID\u003e204\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.054\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003estatus.geotrust.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { - "name": "iexplore.exe", - "pid": 2736, "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.digicert.com", + "cs9.wac.phicdn.net", + "status.geotrust.com" + ], + "ip": [ + "89.160.20.156" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "205", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "204", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ocsp.trust-provider.com", - "subdomain": "ocsp", - "registered_domain": "trust-provider.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.126Z", + "dns": { "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -19245,6 +19031,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.trust-provider.com", + "registered_domain": "trust-provider.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -19258,12 +19050,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.126Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19283,74 +19098,44 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803702175Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067529300Z'/\u003e\u003cEventRecordID\u003e205\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.126\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.trust-provider.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "206", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "205", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.184Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "ocsp.comodoca4.com", - "subdomain": "ocsp", - "registered_domain": "comodoca4.com", - "top_level_domain": "com" - }, "answers": [ { "data": "t3j2g9x7.stackpathcdn.com", @@ -19397,6 +19182,12 @@ "type": "A" } ], + "question": { + "name": "ocsp.comodoca4.com", + "registered_domain": "comodoca4.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -19410,12 +19201,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.184Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19435,67 +19249,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803702577Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067550800Z'/\u003e\u003cEventRecordID\u003e206\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.184\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eocsp.comodoca4.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 t3j2g9x7.stackpathcdn.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "207", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "206", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "sync.crwdcntrl.net", - "subdomain": "sync", - "registered_domain": "crwdcntrl.net", - "top_level_domain": "net" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.322Z", + "dns": { "answers": [ { "data": "td.crwdcntrl.net", @@ -19542,6 +19326,12 @@ "type": "A" } ], + "question": { + "name": "sync.crwdcntrl.net", + "registered_domain": "crwdcntrl.net", + "subdomain": "sync", + "top_level_domain": "net" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -19554,13 +19344,36 @@ "192.168.6.30" ] }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:34:09.322Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, "related": { "hosts": [ "td.crwdcntrl.net", @@ -19572,67 +19385,37 @@ "192.168.6.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803702943Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067594200Z'/\u003e\u003cEventRecordID\u003e207\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.322\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esync.crwdcntrl.net\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "208", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "207", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "match.sync.ad.cpe.dotomi.com", - "subdomain": "match.sync.ad.cpe", - "registered_domain": "dotomi.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.730Z", + "dns": { "answers": [ { "data": "cpe.us.dotomi.weighted.com.akadns.net", @@ -19671,6 +19454,12 @@ "type": "A" } ], + "question": { + "name": "match.sync.ad.cpe.dotomi.com", + "registered_domain": "dotomi.com", + "subdomain": "match.sync.ad.cpe", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -19680,12 +19469,35 @@ "192.168.92.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:10.067Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:09.730Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19703,74 +19515,44 @@ "192.168.92.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803703268Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:10.067634800Z'/\u003e\u003cEventRecordID\u003e208\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:09.730\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ematch.sync.ad.cpe.dotomi.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:10.067Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "209", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "208", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.627Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "tps10230.doubleverify.com", - "subdomain": "tps10230", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" - }, "answers": [ { "data": "nycp-hlb.doubleverify.com", @@ -19785,16 +19567,45 @@ "type": "A" } ], + "question": { + "name": "tps10230.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps10230", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:11.066Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:10.627Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19806,74 +19617,44 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803703672Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066534000Z'/\u003e\u003cEventRecordID\u003e209\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.627\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10230.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:11.066Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "mbp.local", - "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", - "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", - "type": "filebeat", - "version": "8.0.0" - }, - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "210", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "209", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.650Z", + "agent": { + "ephemeral_id": "bdc6a4f9-ab87-41e0-a64e-bbcecdf73c6c", + "id": "f0224db8-40a9-4f00-b117-333ddd1bc45b", + "name": "mbp.local", + "type": "filebeat", + "version": "8.0.0" }, "dns": { - "question": { - "name": "tps10221.doubleverify.com", - "subdomain": "tps10221", - "registered_domain": "doubleverify.com", - "top_level_domain": "com" - }, "answers": [ { "data": "nycp-hlb.doubleverify.com", @@ -19888,16 +19669,45 @@ "type": "A" } ], + "question": { + "name": "tps10221.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps10221", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:11.066Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:10.650Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -19909,67 +19719,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803704056Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:11.066558700Z'/\u003e\u003cEventRecordID\u003e210\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:10.650\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003etps10221.doubleverify.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:11.066Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "212", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "210", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "www.facebook.com", - "subdomain": "www", - "registered_domain": "facebook.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.329Z", + "dns": { "answers": [ { "data": "star-mini.c10r.facebook.com", @@ -20016,6 +19796,12 @@ "type": "A" } ], + "question": { + "name": "www.facebook.com", + "registered_domain": "facebook.com", + "subdomain": "www", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -20029,12 +19815,35 @@ "192.168.94.30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:17.272Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:16.329Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20054,67 +19863,37 @@ "192.168.94.30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803704396Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272022200Z'/\u003e\u003cEventRecordID\u003e212\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.329\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003ewww.facebook.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 star-mini.c10r.facebook.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;192.168.94.30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:17.272Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "213", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "212", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "platform.twitter.com", - "subdomain": "platform", - "registered_domain": "twitter.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.386Z", + "dns": { "answers": [ { "data": "cs472.wac.edgecastcdn.net", @@ -20141,16 +19920,45 @@ "type": "A" } ], + "question": { + "name": "platform.twitter.com", + "registered_domain": "twitter.com", + "subdomain": "platform", + "top_level_domain": "com" + }, "resolved_ip": [ "192.168.163.25" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:17.272Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:16.386Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20165,67 +19973,37 @@ "192.168.163.25" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803704753Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272102900Z'/\u003e\u003cEventRecordID\u003e213\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.386\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eplatform.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.168.163.25;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:17.272Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "214", - "process": { + "event_id": "22", + "opcode": "Info", + "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "213", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "syndication.twitter.com", - "subdomain": "syndication", - "registered_domain": "twitter.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.482Z", + "dns": { "answers": [ { "data": "89.160.20.156", @@ -20276,6 +20054,12 @@ "type": "AAAA" } ], + "question": { + "name": "syndication.twitter.com", + "registered_domain": "twitter.com", + "subdomain": "syndication", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "89.160.20.156", @@ -20291,12 +20075,35 @@ "2001:500:856e::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:17.272Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:16.482Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20314,67 +20121,37 @@ "2001:500:856e::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803705073Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:17.272134300Z'/\u003e\u003cEventRecordID\u003e214\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:16.482\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003esyndication.twitter.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003e::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;192.168.80.30;2001:500:856e::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:17.272Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 2736, - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", - "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "215", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "214", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "ade.googlesyndication.com", - "subdomain": "ade", - "registered_domain": "googlesyndication.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:19.578Z", + "dns": { "answers": [ { "data": "pagead.l.doubleclick.net", @@ -20385,16 +20162,45 @@ "type": "A" } ], + "question": { + "name": "ade.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "ade", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:21.552Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:19.578Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 }, "related": { "hosts": [ @@ -20405,67 +20211,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803705404Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:21.552490900Z'/\u003e\u003cEventRecordID\u003e215\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:19.578\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a9-5d2f-0000-001053699900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2736\u003c/Data\u003e\u003cData Name='QueryName'\u003eade.googlesyndication.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 pagead.l.doubleclick.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:21.552Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "216", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "215", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "iecvlist.microsoft.com", - "subdomain": "iecvlist", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:31.219Z", + "dns": { "answers": [ { "data": "ie9comview.vo.msecnd.net", @@ -20480,16 +20256,45 @@ "type": "A" } ], + "question": { + "name": "iecvlist.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "iecvlist", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:34:33.148Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:34:31.219Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -20501,67 +20306,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803705721Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:34:33.148104300Z'/\u003e\u003cEventRecordID\u003e216\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:34:31.219\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003eiecvlist.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:34:33.148Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 844, - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "220", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "216", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "tsfe.trafficshaping.dsp.mp.microsoft.com", - "subdomain": "tsfe.trafficshaping.dsp.mp", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:02.752Z", + "dns": { "answers": [ { "data": "tsfe.trafficmanager.net", @@ -20572,16 +20347,45 @@ "type": "A" } ], + "question": { + "name": "tsfe.trafficshaping.dsp.mp.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "tsfe.trafficshaping.dsp.mp", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:39:03.685Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:39:02.752Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 844 }, "related": { "hosts": [ @@ -20592,283 +20396,250 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803706099Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:03.685690200Z'/\u003e\u003cEventRecordID\u003e220\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:02.752\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003etsfe.trafficshaping.dsp.mp.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 tsfe.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:39:03.685Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 844, - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "221", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "220", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:20.413Z", "dns": { "question": { "name": "isatap.local.crowbird.com", - "subdomain": "isatap.local", "registered_domain": "crowbird.com", + "subdomain": "isatap.local", "top_level_domain": "com" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:39:20.413Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "isatap.local.crowbird.com" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803706449Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:39:22.432Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:39:22.432Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:22.432153100Z'/\u003e\u003cEventRecordID\u003e221\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:20.413\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-00106aca0000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e844\u003c/Data\u003e\u003cData Name='QueryName'\u003eisatap.local.crowbird.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 844 + }, + "related": { + "hosts": [ + "isatap.local.crowbird.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "ruby.exe", - "pid": 676, - "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", - "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "230", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "221", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:40.504Z", "dns": { "question": { "name": "puppet" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:39:40.504Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "puppet" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803706862Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:39:42.554Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:39:42.554Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:39:42.554539300Z'/\u003e\u003cEventRecordID\u003e230\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:39:40.504\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e9f7-5d2f-0000-001031039c00}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e676\u003c/Data\u003e\u003cData Name='QueryName'\u003epuppet\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", + "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", + "name": "ruby.exe", + "pid": 676 + }, + "related": { + "hosts": [ + "puppet" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 636, - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "231", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "230", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "DNS_ERROR_RCODE_NAME_ERROR" - } - }, - "log": { - "level": "information" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:40:40.433Z", "dns": { "question": { "name": "wpad" } }, - "network": { - "protocol": "dns" - }, - "@timestamp": "2019-07-18T03:40:40.433Z", "ecs": { "version": "8.0.0" }, - "related": { - "hosts": [ - "wpad" - ] - }, "event": { - "ingested": "2022-01-12T05:19:53.803707213Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:40:42.447Z", "category": [ "network" ], + "code": "22", + "created": "2019-07-18T03:40:42.447Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:40:42.447293700Z'/\u003e\u003cEventRecordID\u003e231\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:40:40.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a2-5d2f-0000-001016f70000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e636\u003c/Data\u003e\u003cData Name='QueryName'\u003ewpad\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e9003\u003c/Data\u003e\u003cData Name='QueryResults'\u003e\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "connection", "protocol", "info" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "pid": 1788, - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", - "executable": "C:\\Windows\\System32\\svchost.exe" + "pid": 636 + }, + "related": { + "hosts": [ + "wpad" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, + "user": { + "id": "S-1-5-18" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "232", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "231", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "v10.vortex-win.data.microsoft.com", - "subdomain": "v10.vortex-win.data", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:42:54.033Z", + "dns": { "answers": [ { "data": "v10-win.vortex.data.microsoft.com.akadns.net", @@ -20887,16 +20658,45 @@ "type": "A" } ], + "question": { + "name": "v10.vortex-win.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "v10.vortex-win.data", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:42:55.556Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:42:54.033Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 1788 }, "related": { "hosts": [ @@ -20909,67 +20709,37 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803707527Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:42:55.556826000Z'/\u003e\u003cEventRecordID\u003e232\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:42:54.033\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003ev10.vortex-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:42:55.556Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 1788, - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", - "executable": "C:\\Windows\\System32\\svchost.exe" }, "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", - "record_id": "233", + "event_id": "22", + "opcode": "Info", "process": { "pid": 2828, "thread": { "id": 1684 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "232", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "settings-win.data.microsoft.com", - "subdomain": "settings-win.data", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:43:04.400Z", + "dns": { "answers": [ { "data": "settingsfd-geo.trafficmanager.net", @@ -20980,16 +20750,45 @@ "type": "A" } ], + "question": { + "name": "settings-win.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "settings-win.data", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:43:06.459Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:43:04.400Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 1788 }, "related": { "hosts": [ @@ -21000,316 +20799,309 @@ "89.160.20.156" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803707850Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:43:06.459986800Z'/\u003e\u003cEventRecordID\u003e233\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:43:04.400\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-b1a3-5d2f-0000-00102f440100}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1788\u003c/Data\u003e\u003cData Name='QueryName'\u003esettings-win.data.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 settingsfd-geo.trafficmanager.net;::ffff:89.160.20.156;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:43:06.459Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\notepad.exe" - ], - "parent": { - "args": [ - "C:\\Windows\\Explorer.EXE" - ], - "name": "explorer.exe", - "pid": 4212, - "args_count": 1, - "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", - "executable": "C:\\Windows\\explorer.exe", - "command_line": "C:\\Windows\\Explorer.EXE" - }, - "pe": { - "file_version": "10.0.17763.475 (WinBuild.160101.0800)", - "description": "Notepad", - "product": "Microsoft« Windows« Operating System", - "original_file_name": "NOTEPAD.EXE", - "company": "Microsoft Corporation" - }, - "name": "notepad.exe", - "pid": 3616, - "working_directory": "C:\\Users\\vagrant\\", - "args_count": 1, - "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", - "hash": { - "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" - }, - "executable": "C:\\Windows\\System32\\notepad.exe", - "command_line": "\"C:\\Windows\\system32\\notepad.exe\" " }, - "@timestamp": "2020-10-27T20:00:14.320Z", "winlog": { - "computer_name": "vagrant", - "record_id": "20", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", "process": { - "pid": 7144, + "pid": 2828, "thread": { - "id": 6876 + "id": 1684 } }, - "event_id": "1", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "Company": "Microsoft Corporation", - "Description": "Notepad", - "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", - "IntegrityLevel": "Medium", - "TerminalSessionId": "1", - "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", - "Product": "Microsoft« Windows« Operating System", - "LogonId": "0x2c9e7" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "233", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2020-10-27T20:00:14.320Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" + "event": { + "category": [ + "process" ], - "hash": [ - "b6d237154f2e528f0b503b58b025862d66b02b73" + "code": "1", + "created": "2020-10-27T20:00:14.324Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" ] }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:19:53.803708167Z", - "code": "1", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e1\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e1\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-27T20:00:14.324234100Z'/\u003e\u003cEventRecordID\u003e20\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='7144' ThreadID='6876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-27 20:00:14.320\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-7c4e-5f98-5803-000000000500}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e3616\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\notepad.exe\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.475 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eNotepad\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eNOTEPAD.EXE\u003c/Data\u003e\u003cData Name='CommandLine'\u003e\"C:\\Windows\\system32\\notepad.exe\" \u003c/Data\u003e\u003cData Name='CurrentDirectory'\u003eC:\\Users\\vagrant\\\u003c/Data\u003e\u003cData Name='User'\u003eVAGRANT\\vagrant\u003c/Data\u003e\u003cData Name='LogonGuid'\u003e{9f32b55f-6fdd-5f98-e7c9-020000000000}\u003c/Data\u003e\u003cData Name='LogonId'\u003e0x2c9e7\u003c/Data\u003e\u003cData Name='TerminalSessionId'\u003e1\u003c/Data\u003e\u003cData Name='IntegrityLevel'\u003eMedium\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=B6D237154F2E528F0B503B58B025862D66B02B73\u003c/Data\u003e\u003cData Name='ParentProcessGuid'\u003e{9f32b55f-6fdf-5f98-7000-000000000500}\u003c/Data\u003e\u003cData Name='ParentProcessId'\u003e4212\u003c/Data\u003e\u003cData Name='ParentImage'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ParentCommandLine'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-10-27T20:00:14.324Z", - "category": [ - "process" + "process": { + "args": [ + "C:\\Windows\\system32\\notepad.exe" ], - "type": [ - "start" + "args_count": 1, + "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ", + "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "executable": "C:\\Windows\\System32\\notepad.exe", + "hash": { + "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" + }, + "name": "notepad.exe", + "parent": { + "args": [ + "C:\\Windows\\Explorer.EXE" + ], + "args_count": 1, + "command_line": "C:\\Windows\\Explorer.EXE", + "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", + "executable": "C:\\Windows\\explorer.exe", + "name": "explorer.exe", + "pid": 4212 + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Notepad", + "file_version": "10.0.17763.475 (WinBuild.160101.0800)", + "original_file_name": "NOTEPAD.EXE", + "product": "Microsoft« Windows« Operating System" + }, + "pid": 3616, + "working_directory": "C:\\Users\\vagrant\\" + }, + "related": { + "hash": [ + "b6d237154f2e528f0b503b58b025862d66b02b73" + ], + "user": [ + "vagrant" ] }, "user": { - "name": "vagrant", "domain": "VAGRANT", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "git.exe", - "pid": 2628, - "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", - "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe" + "id": "S-1-5-18", + "name": "vagrant" }, - "@timestamp": "2021-02-25T14:43:23.550Z", "winlog": { - "computer_name": "DESKTOP-I9CQVAQ", - "record_id": "10737797", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Notepad", + "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", + "IntegrityLevel": "Medium", + "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", + "LogonId": "0x2c9e7", + "Product": "Microsoft« Windows« Operating System", + "TerminalSessionId": "1" + }, + "event_id": "1", + "opcode": "Info", "process": { - "pid": 3800, + "pid": 7144, "thread": { - "id": 5080 + "id": 6876 } }, - "event_id": "25", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "20", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2021-02-25T14:43:23.550Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, - "host": { - "name": "DESKTOP-I9CQVAQ" - }, "event": { - "ingested": "2022-01-12T05:19:53.803708561Z", - "code": "25", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2021-02-25T14:43:23.551Z", "category": [ "process" ], + "code": "25", + "created": "2021-02-25T14:43:23.551Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e25\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e25\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T14:43:23.551269400Z'/\u003e\u003cEventRecordID\u003e10737797\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='5080'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 14:43:23.550\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-b78b-6037-6f13-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2628\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\u003c/Data\u003e\u003cData Name='Type'\u003eImage is replaced\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, "message": "Image is replaced", + "process": { + "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", + "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "name": "git.exe", + "pid": 2628 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "svchost.exe", - "pid": 820, - "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", - "hash": { - "md5": "5a9bddf83be530b481f0fd24db28a6ff" - }, - "executable": "C:\\Windows\\system32\\svchost.exe" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "2243", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_id": "25", + "opcode": "Info", "process": { - "pid": 1188, + "pid": 3800, "thread": { - "id": 1600 + "id": 5080 } }, - "event_id": "23", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "10737797", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true, - "is_executable": false - } - }, + }, + "version": 5 + } + }, + { "@timestamp": "2020-05-12T06:48:27.084Z", - "file": { - "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", - "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d", - "directory": "C:\\Windows\\System32\\LogFiles\\Scm" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM" + "event": { + "category": [ + "file" ], - "hash": [ - "5a9bddf83be530b481f0fd24db28a6ff" + "code": "23", + "created": "2020-05-12T06:48:27.084Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" ] }, + "file": { + "directory": "C:\\Windows\\System32\\LogFiles\\Scm", + "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", + "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" + }, "log": { "level": "information" }, - "event": { - "ingested": "2022-01-12T05:19:53.803708900Z", - "code": "23", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e23\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e23\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-12T06:48:27.084044200Z'/\u003e\u003cEventRecordID\u003e2243\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1188' ThreadID='1600'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-12 06:48:27.084\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-4664-5eba-91ae-000000000000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e820\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\u003c/Data\u003e\u003cData Name='Hashes'\u003eMD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-12T06:48:27.084Z", - "category": [ - "file" + "process": { + "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "md5": "5a9bddf83be530b481f0fd24db28a6ff" + }, + "name": "svchost.exe", + "pid": 820 + }, + "related": { + "hash": [ + "5a9bddf83be530b481f0fd24db28a6ff" ], - "type": [ - "deletion" + "user": [ + "SYSTEM" ] }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, "user": { - "name": "SYSTEM", "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "process": { - "name": "dllhost.exe", - "pid": 5184, - "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", - "executable": "C:\\Windows\\System32\\dllhost.exe" + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2020-10-28T02:39:26.374Z", "winlog": { - "computer_name": "vagrant", - "record_id": "10685", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", "process": { - "pid": 1676, + "pid": 1188, "thread": { - "id": 4796 + "id": 1600 } }, - "event_id": "7", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "SignatureStatus": "Valid", - "Company": "Microsoft Corporation", - "Description": "Identity Store", - "Signed": "true", - "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", - "Signature": "Microsoft Windows", - "Product": "Microsoft« Windows« Operating System" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 3, + "record_id": "2243", "user": { "identifier": "S-1-5-18" - } + }, + "version": 5 + } + }, + { + "@timestamp": "2020-10-28T02:39:26.374Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "process" + ], + "code": "7", + "created": "2020-10-28T02:39:26.388Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] }, "file": { - "path": "C:\\Windows\\System32\\IDStore.dll", - "extension": "dll", "code_signature": { - "valid": true, + "status": "Valid", "subject_name": "Microsoft Windows", - "status": "Valid" - }, - "pe": { - "file_version": "10.0.17763.1 (WinBuild.160101.0800)", - "description": "Identity Store", - "product": "Microsoft« Windows« Operating System", - "original_file_name": "IdStore.dll", - "company": "Microsoft Corporation", - "imphash": "194f3797b52231028c718b6d776c6853" + "valid": true }, - "name": "IDStore.dll", "directory": "C:\\Windows\\System32", + "extension": "dll", "hash": { + "md5": "c7c45610f644906e6f7d664ef2e45b08", "sha1": "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", - "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e", - "md5": "c7c45610f644906e6f7d664ef2e45b08" + "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e" + }, + "name": "IDStore.dll", + "path": "C:\\Windows\\System32\\IDStore.dll", + "pe": { + "company": "Microsoft Corporation", + "description": "Identity Store", + "file_version": "10.0.17763.1 (WinBuild.160101.0800)", + "imphash": "194f3797b52231028c718b6d776c6853", + "original_file_name": "IdStore.dll", + "product": "Microsoft« Windows« Operating System" } }, - "ecs": { - "version": "8.0.0" + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", + "executable": "C:\\Windows\\System32\\dllhost.exe", + "name": "dllhost.exe", + "pid": 5184 }, "related": { "hash": [ @@ -21319,258 +21111,228 @@ "194f3797b52231028c718b6d776c6853" ] }, - "log": { - "level": "information" - }, - "event": { - "ingested": "2022-01-12T05:19:53.803709222Z", - "code": "7", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e7\u003c/EventID\u003e\u003cVersion\u003e3\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e7\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-10-28T02:39:26.388325200Z'/\u003e\u003cEventRecordID\u003e10685\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='1676' ThreadID='4796'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-10-28 02:39:26.374\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9f32b55f-d9de-5f98-f006-000000000600}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e5184\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\dllhost.exe\u003c/Data\u003e\u003cData Name='ImageLoaded'\u003eC:\\Windows\\System32\\IDStore.dll\u003c/Data\u003e\u003cData Name='FileVersion'\u003e10.0.17763.1 (WinBuild.160101.0800)\u003c/Data\u003e\u003cData Name='Description'\u003eIdentity Store\u003c/Data\u003e\u003cData Name='Product'\u003eMicrosoft« Windows« Operating System\u003c/Data\u003e\u003cData Name='Company'\u003eMicrosoft Corporation\u003c/Data\u003e\u003cData Name='OriginalFileName'\u003eIdStore.dll\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\u003c/Data\u003e\u003cData Name='Signed'\u003etrue\u003c/Data\u003e\u003cData Name='Signature'\u003eMicrosoft Windows\u003c/Data\u003e\u003cData Name='SignatureStatus'\u003eValid\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-10-28T02:39:26.388Z", - "category": [ - "process" - ], - "type": [ - "change" - ] - }, "user": { "id": "S-1-5-18" - } - }, - { - "registry": { - "hive": "HKU", - "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "value": "HRZR_PGYFRFFVBA", - "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA" - }, - "process": { - "name": "Explorer.EXE", - "pid": 4320, - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", - "executable": "C:\\Windows\\Explorer.EXE" }, - "@timestamp": "2020-05-05T14:57:46.808Z", "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", - "record_id": "2691", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Identity Store", + "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", + "Product": "Microsoft« Windows« Operating System", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "Signed": "true" + }, + "event_id": "7", + "opcode": "Info", "process": { - "pid": 5496, + "pid": 1676, "thread": { - "id": 876 + "id": 4796 } }, - "event_id": "13", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "EventType": "SetValue" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 2, + "record_id": "10685", "user": { "identifier": "S-1-5-18" - } - }, + }, + "version": 3 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803709543Z", - "code": "13", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2020-05-05T14:57:46.818Z", "category": [ "configuration", "registry" ], + "code": "13", + "created": "2020-05-05T14:57:46.818Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e13\u003c/EventID\u003e\u003cVersion\u003e2\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e13\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-05T14:57:46.818869100Z'/\u003e\u003cEventRecordID\u003e2691\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='5496' ThreadID='876'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='EventType'\u003eSetValue\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2020-05-05 14:57:46.808\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{5b522f6e-7554-5eb1-6d00-000000000800}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e4320\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\Explorer.EXE\u003c/Data\u003e\u003cData Name='TargetObject'\u003eHKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\u003c/Data\u003e\u003cData Name='Details'\u003eBinary Data\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, - "user": { - "id": "S-1-5-18" - } - }, - { + "log": { + "level": "information" + }, "process": { - "name": "vmtoolsd.exe", - "pid": 2144, - "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", - "hash": { - "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" - }, - "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "user": { + "id": "S-1-5-18" }, "winlog": { - "computer_name": "DESKTOP-I9CQVAQ", - "record_id": "10757412", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", "process": { - "pid": 3800, + "pid": 5496, "thread": { - "id": 6444 + "id": 876 } }, - "event_id": "24", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", - "Session": "1" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "2691", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "file": { - "archived": true - } - }, + }, + "version": 2 + } + }, + { "@timestamp": "2021-02-25T15:04:48.592Z", "ecs": { "version": "8.0.0" }, - "related": { - "hash": [ - "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" - ] - }, - "log": { - "level": "information" - }, - "host": { - "name": "DESKTOP-I9CQVAQ" - }, "event": { - "ingested": "2022-01-12T05:19:53.803709925Z", "code": "24", + "created": "2021-02-25T15:04:48.607Z", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e24\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e24\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2021-02-25T15:04:48.607343500Z'/\u003e\u003cEventRecordID\u003e10757412\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='3800' ThreadID='6444'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003eDESKTOP-I9CQVAQ\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2021-02-25 15:04:48.592\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{9497d8d9-aa1b-602f-a600-000000001000}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e2144\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\u003c/Data\u003e\u003cData Name='Session'\u003e1\u003c/Data\u003e\u003cData Name='ClientInfo'\u003euser: DESKTOP-I9CQVAQ\\luks\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\u003c/Data\u003e\u003cData Name='Archived'\u003etrue\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2021-02-25T15:04:48.607Z", "type": [ "change" ] }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", + "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "hash": { + "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + }, + "name": "vmtoolsd.exe", + "pid": 2144 + }, + "related": { + "hash": [ + "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + ] + }, + "sysmon": { + "file": { + "archived": true + } + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "chrome.exe", - "pid": 1600, - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" }, - "@timestamp": "2019-03-18T16:57:52.433Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "record_id": "32", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", + "Session": "1" + }, + "event_id": "24", + "opcode": "Info", "process": { - "pid": 4860, + "pid": 3800, "thread": { - "id": 4516 + "id": 6444 } }, - "event_id": "2", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "event_data": { - "CreationUtcTime": "2019-03-18 16:52:05.339", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" - }, - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 4, + "record_id": "10757412", "user": { "identifier": "S-1-5-18" - } - }, - "file": { - "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "extension": "tmp", - "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def" - }, + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "information" - }, "event": { - "ingested": "2022-01-12T05:19:53.803710256Z", - "code": "2", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-03-18T16:57:52.433Z", "category": [ "file" ], + "code": "2", + "created": "2019-03-18T16:57:52.433Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e2\u003c/EventID\u003e\u003cVersion\u003e4\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-03-18T16:57:52.433367300Z'/\u003e\u003cEventRecordID\u003e32\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='4860' ThreadID='4516'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2012-r2\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-03-18 16:57:52.433\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{42f11c3b-ccaa-5c8f-0000-0010b4e22700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1600\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\u003c/Data\u003e\u003cData Name='CreationUtcTime'\u003e2019-03-18 16:52:05.339\u003c/Data\u003e\u003cData Name='PreviousCreationUtcTime'\u003e2019-03-18 16:57:52.417\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", "type": [ "change" ] }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def", + "extension": "tmp", + "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, "user": { "id": "S-1-5-18" - } - }, - { - "process": { - "name": "iexplore.exe", - "pid": 356, - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", - "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe" }, "winlog": { - "computer_name": "vagrant-2016", - "record_id": "234", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.339", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", "process": { - "pid": 2828, + "pid": 4860, "thread": { - "id": 1684 + "id": 4516 } }, - "event_id": "22", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", - "channel": "Microsoft-Windows-Sysmon/Operational", - "opcode": "Info", "provider_name": "Microsoft-Windows-Sysmon", - "version": 5, + "record_id": "32", "user": { "identifier": "S-1-5-18" - } - }, - "sysmon": { - "dns": { - "status": "SUCCESS" - } - }, - "log": { - "level": "information" - }, - "dns": { - "question": { - "name": "c.urs.microsoft.com", - "subdomain": "c.urs", - "registered_domain": "microsoft.com", - "top_level_domain": "com" }, + "version": 4 + } + }, + { + "@timestamp": "2019-07-18T03:49:51.154Z", + "dns": { "answers": [ { "data": "wd-prod-ss.trafficmanager.net", @@ -21609,6 +21371,12 @@ "type": "AAAA" } ], + "question": { + "name": "c.urs.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "c.urs", + "top_level_domain": "com" + }, "resolved_ip": [ "89.160.20.156", "192.168.6.30", @@ -21619,12 +21387,35 @@ "2001:503:83eb::30" ] }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "created": "2019-07-18T03:49:52.105Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "log": { + "level": "information" + }, "network": { "protocol": "dns" }, - "@timestamp": "2019-07-18T03:49:51.154Z", - "ecs": { - "version": "8.0.0" + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 }, "related": { "hosts": [ @@ -21642,24 +21433,32 @@ "2001:503:83eb::30" ] }, - "event": { - "ingested": "2022-01-12T05:19:53.803710586Z", - "code": "22", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e22\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e22\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2019-07-18T03:49:52.105632700Z'/\u003e\u003cEventRecordID\u003e234\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2828' ThreadID='1684'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant-2016\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2019-07-18 03:49:51.154\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{fa4a0de6-e8a8-5d2f-0000-001094619900}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e356\u003c/Data\u003e\u003cData Name='QueryName'\u003ec.urs.microsoft.com\u003c/Data\u003e\u003cData Name='QueryStatus'\u003e0\u003c/Data\u003e\u003cData Name='QueryResults'\u003etype: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:89.160.20.156;192.168.6.30;2001:503:a83e::2:30;192.168.14.30;2001:503:231d::2:30;192.168.92.30;2001:503:83eb::30;\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Program Files\\Internet Explorer\\iexplore.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-Sysmon", - "kind": "event", - "created": "2019-07-18T03:49:52.105Z", - "category": [ - "network" - ], - "type": [ - "connection", - "protocol", - "info" - ] + "sysmon": { + "dns": { + "status": "SUCCESS" + } }, "user": { "id": "S-1-5-18" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "234", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 } } ] diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml index 6d94b1bfe64..7e9df152b05 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell.yml @@ -38,9 +38,6 @@ processors: ignore_failure: true if: ctx?.winlog?.time_created != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml index 90e4f573fa1..16d21d8fe82 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml @@ -40,9 +40,6 @@ processors: ignore_failure: true if: ctx?.winlog?.time_created != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml index a01dcde9ed6..2ff78391457 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml @@ -1,9 +1,6 @@ --- description: Pipeline for Windows Security events processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - convert: field: event.code type: string diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml index d873c4b2a20..532a8c199ab 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml @@ -27,9 +27,6 @@ processors: ignore_failure: true if: ctx?.winlog?.event_data?.UtcTime != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event From 5a7d28fadec9136e369c0587716b1dea9e0aaffa Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 27 Jan 2022 07:46:50 +1030 Subject: [PATCH 4/4] packages/windows/forwarded: add sysmon event 26 handler --- packages/windows/changelog.yml | 5 +- .../test-sysmon-operational-events.json | 88 +++++++++++ ...smon-operational-events.json-expected.json | 148 ++++++++++++++++++ .../ingest_pipeline/sysmon_operational.yml | 7 +- 4 files changed, 246 insertions(+), 2 deletions(-) diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 43e923bfd8e..73ba5559001 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -3,7 +3,10 @@ changes: - description: Add sysmon event 26 handling type: enhancement - link: https://github.com/elastic/integrations/pull/xxxx + link: https://github.com/elastic/integrations/pull/2566 + - description: Normalise field order and remove event.ingested + type: enhancement + link: https://github.com/elastic/integrations/pull/2566 - version: "1.9.0" changes: - description: Expose winlog input ignore_older option. diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json index 6593c087521..f9c1da4214c 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json @@ -8643,6 +8643,94 @@ } } } + }, + { + "@timestamp": "2021-05-05T15:30:51.724Z", + "log": { + "level": "information" + }, + "event": { + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:34.329980300Z'/\u003e\u003cEventRecordID\u003e456\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:34.328\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-a2b4-61ee-1b00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1264\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "code": "26", + "kind": "event" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Hashes": "SHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79", + "Image": "C:\\Windows\\System32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{63a74932-a2b4-61ee-1b00-000000000700}", + "ProcessId": "1264", + "RuleName": "-", + "TargetFilename": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat", + "User": "NT AUTHORITY\\LOCAL SERVICE", + "UtcTime": "2022-01-24 05:12:34.328" + }, + "event_id": "26", + "level": "information", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 456, + "time_created": "2022-01-24T05:12:34.3299803Z", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2021-05-05T15:30:51.731Z", + "log": { + "level": "information" + }, + "event": { + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:51.042270000Z'/\u003e\u003cEventRecordID\u003e457\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:51.031\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-3523-61ee-af00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1364\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "code": "26", + "kind": "event" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Hashes": "SHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B", + "Image": "C:\\Windows\\system32\\svchost.exe", + "IsExecutable": "false", + "ProcessGuid": "{63a74932-3523-61ee-af00-000000000700}", + "ProcessId": "1364", + "RuleName": "-", + "TargetFilename": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2022-01-24 05:12:51.031" + }, + "event_id": "26", + "level": "information", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 457, + "time_created": "2022-01-24T05:12:51.04227Z", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json index 166af7fe76d..90939021c53 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-expected.json @@ -21460,6 +21460,154 @@ }, "version": 5 } + }, + { + "@timestamp": "2022-01-24T05:12:34.328Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "file" + ], + "code": "26", + "created": "2022-01-24T05:12:34.329Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:34.329980300Z'/\u003e\u003cEventRecordID\u003e456\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:34.328\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-a2b4-61ee-1b00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1264\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\LOCAL SERVICE\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\System32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Windows\\ServiceState\\EventLog\\Data", + "extension": "dat", + "name": "lastalive1.dat", + "path": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + }, + "name": "svchost.exe", + "pid": 1264 + }, + "related": { + "hash": [ + "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + ], + "user": [ + "LOCAL SERVICE" + ] + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "LOCAL SERVICE" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "456", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } + }, + { + "@timestamp": "2022-01-24T05:12:51.031Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "file" + ], + "code": "26", + "created": "2022-01-24T05:12:51.042Z", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/\u003e\u003cEventID\u003e26\u003c/EventID\u003e\u003cVersion\u003e5\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e26\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8000000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2022-01-24T05:12:51.042270000Z'/\u003e\u003cEventRecordID\u003e457\u003c/EventRecordID\u003e\u003cCorrelation/\u003e\u003cExecution ProcessID='2764' ThreadID='3792'/\u003e\u003cChannel\u003eMicrosoft-Windows-Sysmon/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-18'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='RuleName'\u003e-\u003c/Data\u003e\u003cData Name='UtcTime'\u003e2022-01-24 05:12:51.031\u003c/Data\u003e\u003cData Name='ProcessGuid'\u003e{63a74932-3523-61ee-af00-000000000700}\u003c/Data\u003e\u003cData Name='ProcessId'\u003e1364\u003c/Data\u003e\u003cData Name='User'\u003eNT AUTHORITY\\SYSTEM\u003c/Data\u003e\u003cData Name='Image'\u003eC:\\Windows\\system32\\svchost.exe\u003c/Data\u003e\u003cData Name='TargetFilename'\u003eC:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000\u003c/Data\u003e\u003cData Name='Hashes'\u003eSHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B\u003c/Data\u003e\u003cData Name='IsExecutable'\u003efalse\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache", + "extension": "000", + "name": "OLDCACHE.000", + "path": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-3523-61ee-af00-000000000700}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + }, + "name": "svchost.exe", + "pid": 1364 + }, + "related": { + "hash": [ + "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "457", + "user": { + "identifier": "S-1-5-18" + }, + "version": 5 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml index 532a8c199ab..0a999ecaeff 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml @@ -143,6 +143,11 @@ processors: - process type: - change + "26": + category: + - file + type: + - deletion tag: Set ECS categorization fields source: |- if (ctx?.event?.code == null || params.get(ctx.event.code) == null) { @@ -234,7 +239,7 @@ processors: target_field: process.hash if: |- ctx?._temp?.hashes != null && - ["1", "23", "24", "25"].contains(ctx.event.code) + ["1", "23", "24", "25", "26"].contains(ctx.event.code) - rename: field: process.hash.imphash target_field: process.pe.imphash