diff --git a/x-pack/plugins/security_solution/public/resolver/embeddable.tsx b/x-pack/plugins/security_solution/public/resolver/embeddable.tsx deleted file mode 100644 index 5ec71e6b3041e0..00000000000000 --- a/x-pack/plugins/security_solution/public/resolver/embeddable.tsx +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import ReactDOM from 'react-dom'; -import React from 'react'; -import { Provider } from 'react-redux'; -import { Resolver } from './view'; -import { storeFactory } from './store'; -import { Embeddable } from '../../../../../src/plugins/embeddable/public'; - -export class ResolverEmbeddable extends Embeddable { - public readonly type = 'resolver'; - private lastRenderTarget?: Element; - - public render(node: HTMLElement) { - if (this.lastRenderTarget !== undefined) { - ReactDOM.unmountComponentAtNode(this.lastRenderTarget); - } - this.lastRenderTarget = node; - const { store } = storeFactory(); - ReactDOM.render( - - - , - node - ); - } - - public reload(): void { - throw new Error('Method not implemented.'); - } - - public destroy(): void { - if (this.lastRenderTarget !== undefined) { - ReactDOM.unmountComponentAtNode(this.lastRenderTarget); - } - } -} diff --git a/x-pack/plugins/security_solution/public/resolver/factory.ts b/x-pack/plugins/security_solution/public/resolver/factory.ts deleted file mode 100644 index 5168d2771e7235..00000000000000 --- a/x-pack/plugins/security_solution/public/resolver/factory.ts +++ /dev/null @@ -1,31 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { i18n } from '@kbn/i18n'; -import { - IContainer, - EmbeddableInput, - EmbeddableFactoryDefinition, -} from '../../../../../src/plugins/embeddable/public'; -import { ResolverEmbeddable } from './embeddable'; - -export class ResolverEmbeddableFactory implements EmbeddableFactoryDefinition { - public readonly type = 'resolver'; - - public async isEditable() { - return true; - } - - public async create(initialInput: EmbeddableInput, parent?: IContainer) { - return new ResolverEmbeddable(initialInput, {}, parent); - } - - public getDisplayName() { - return i18n.translate('xpack.securitySolution.endpoint.resolver.displayNameTitle', { - defaultMessage: 'Resolver', - }); - } -} diff --git a/x-pack/plugins/security_solution/public/resolver/index.ts b/x-pack/plugins/security_solution/public/resolver/index.ts deleted file mode 100644 index e4f3cc90ae30aa..00000000000000 --- a/x-pack/plugins/security_solution/public/resolver/index.ts +++ /dev/null @@ -1,8 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -export { ResolverEmbeddableFactory } from './factory'; -export { ResolverEmbeddable } from './embeddable'; diff --git a/x-pack/plugins/security_solution/public/resolver/store/data/sample.ts b/x-pack/plugins/security_solution/public/resolver/store/data/sample.ts deleted file mode 100644 index b0ed9f3554c9bb..00000000000000 --- a/x-pack/plugins/security_solution/public/resolver/store/data/sample.ts +++ /dev/null @@ -1,1608 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License; - * you may not use this file except in compliance with the Elastic License. - */ - -import { ProcessEvent } from '../../types'; - -interface ProcessEventSampleData { - data: { - result: { - search_results: ProcessEvent[]; - }; - }; -} - -const rawData = { - data: { - code: 200, - result: { - alert_id: 'a9834bf5-42c1-4039-83be-08c3ad3232b3', - bulk_task_id: null, - correlation_id: '7022e509-087e-493d-b02c-d88a206cd993', - created_at: '2019-09-24T03:17:36Z', - endpoint: { - ad_distinguished_name: - 'CN=ENDPOINT-W-1-07,OU=Desktops,OU=Workstations,OU=Computers_DEMO,DC=demo,DC=endgamelabs,DC=net', - ad_hostname: 'demo.endgamelabs.net', - display_operating_system: 'Windows 7 (SP1)', - hostname: 'ENDPOINT-W-1-07', - id: '39153006-0064-424b-99e9-4e21dcc00c2e', - ip_address: '172.31.27.17', - mac_address: '00:50:56:b1:b7:7b', - name: 'ENDPOINT-W-1-07', - operating_system: 'Windows 6.1 Service Pack 1', - status: 'monitored', - updated_at: '2019-09-24T01:48:47.960649+00:00', - }, - event_logging_search_request_count: 3, - family: 'collection', - investigation_id: null, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - message_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - metadata: { - chunk_id: 0, - correlation_id: '7022e509-087e-493d-b02c-d88a206cd993', - final: true, - message_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - origination_task_id: '2bed7d8b-72b1-4650-882c-5167a2fe1735', - os_type: 'windows', - priority: 50, - result: { - local_code: 0, - local_msg: 'Success', - }, - semantic_version: '3.52.8', - task_id: '2bed7d8b-72b1-4650-882c-5167a2fe1735', - type: 'collection', - }, - origination_task_id: '2bed7d8b-72b1-4650-882c-5167a2fe1735', - pagination: { - backwards: false, - eof: false, - page_number: 3, - page_offset: 31666, - params: - 'eyJhbGVydF9pZCI6ICJhOTgzNGJmNS00MmMxLTQwMzktODNiZS0wOGMzYWQzMjMyYjMiLCAidGVtcGxhdGVfZmlsZSI6ICJwcm9jZXNzLWNvbnRleHQubHVhIiwgImNyaXRlcmlhIjogeyJwaWQiOiAxODA4LCAidW5pcXVlX3BpZCI6IDE4OTQzfX0=', - remaining_events: 0, - }, - pending_event_logging_search_request: false, - results_count: 807, - search_results: [ - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - _descendant_count: 6, - command_line: '', - depth: -5, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'already_running', - event_type_full: 'process_event', - integrity_level: 'system', - node_id: 1002, - opcode: 3, - pid: 4, - ppid: 0, - process_name: '', - process_path: '', - serial_event_id: 1002, - timestamp: 132137632670000000, - timestamp_utc: '2019-09-24 01:47:47Z', - unique_pid: 1002, - unique_ppid: 1001, - user_domain: 'NT AUTHORITY', - user_name: 'SYSTEM', - user_sid: 'S-1-5-18', - }, - event_timestamp: 132137632670000000, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - _descendant_count: 5, - command_line: '\\SystemRoot\\System32\\smss.exe', - depth: -4, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'already_running', - event_type_full: 'process_event', - integrity_level: 'system', - md5: '1911a3356fa3f77ccc825ccbac038c2a', - node_id: 1003, - opcode: 3, - original_file_name: 'smss.exe', - pid: 244, - ppid: 4, - process_name: 'smss.exe', - process_path: 'C:\\Windows\\System32\\smss.exe', - serial_event_id: 1003, - sha1: '706473ad489e5365af1e3431c4f8fe80a9139bc2', - sha256: '6ed135b792c81d78b33a57f0f4770db6105c9ed3e2193629cb3ec38bfd5b7e1b', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 1002, - timestamp: 132137632670000000, - timestamp_utc: '2019-09-24 01:47:47Z', - unique_pid: 1003, - unique_ppid: 1002, - user_domain: 'NT AUTHORITY', - user_name: 'SYSTEM', - user_sid: 'S-1-5-18', - }, - event_timestamp: 132137632670000000, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - _descendant_count: 4, - authentication_id: 999, - command_line: '\\SystemRoot\\System32\\smss.exe 00000000 00000048 ', - depth: -3, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'system', - md5: '1911a3356fa3f77ccc825ccbac038c2a', - node_id: 18643, - opcode: 1, - original_file_name: 'smss.exe', - parent_process_name: 'smss.exe', - parent_process_path: 'C:\\Windows\\System32\\smss.exe', - pid: 2364, - ppid: 244, - process_name: 'smss.exe', - process_path: 'C:\\Windows\\System32\\smss.exe', - serial_event_id: 18643, - sha1: '706473ad489e5365af1e3431c4f8fe80a9139bc2', - sha256: '6ed135b792c81d78b33a57f0f4770db6105c9ed3e2193629cb3ec38bfd5b7e1b', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 1003, - timestamp: 132137681960227504, - timestamp_utc: '2019-09-24 03:09:56Z', - unique_pid: 18643, - unique_ppid: 1003, - user_domain: 'NT AUTHORITY', - user_name: 'SYSTEM', - user_sid: 'S-1-5-18', - }, - event_timestamp: 132137681960227504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - _descendant_count: 3, - authentication_id: 999, - command_line: 'winlogon.exe', - depth: -2, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'system', - md5: '1151b1baa6f350b1db6598e0fea7c457', - node_id: 18645, - opcode: 1, - original_file_name: 'WINLOGON.EXE', - parent_process_name: 'smss.exe', - parent_process_path: 'C:\\Windows\\System32\\smss.exe', - pid: 3108, - ppid: 2364, - process_name: 'winlogon.exe', - process_path: 'C:\\Windows\\System32\\winlogon.exe', - serial_event_id: 18645, - sha1: '434856b834baf163c5ea4d26434eeae775a507fb', - sha256: 'b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18643, - timestamp: 132137681961163504, - timestamp_utc: '2019-09-24 03:09:56Z', - unique_pid: 18645, - unique_ppid: 18643, - user_domain: 'NT AUTHORITY', - user_name: 'SYSTEM', - user_sid: 'S-1-5-18', - }, - event_timestamp: 132137681961163504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - depth: -2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: '1911a3356fa3f77ccc825ccbac038c2a', - node_id: 18646, - opcode: 2, - original_file_name: 'smss.exe', - parent_process_name: 'smss.exe', - parent_process_path: 'C:\\Windows\\System32\\smss.exe', - pid: 2364, - ppid: 244, - process_name: 'smss.exe', - process_path: 'C:\\Windows\\System32\\smss.exe', - serial_event_id: 18646, - sha1: '706473ad489e5365af1e3431c4f8fe80a9139bc2', - sha256: '6ed135b792c81d78b33a57f0f4770db6105c9ed3e2193629cb3ec38bfd5b7e1b', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18643, - timestamp: 132137681961787504, - timestamp_utc: '2019-09-24 03:09:56Z', - unique_pid: 18643, - unique_ppid: 1003, - user_domain: 'NT AUTHORITY', - user_name: 'SYSTEM', - user_sid: 'S-1-5-18', - }, - event_timestamp: 132137681961787504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - _descendant_count: 1, - authentication_id: 4904488, - command_line: 'C:\\Windows\\system32\\userinit.exe', - depth: -1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'bafe84e637bf7388c96ef48d4d3fdd53', - node_id: 18833, - opcode: 1, - original_file_name: 'USERINIT.EXE', - parent_process_name: 'winlogon.exe', - parent_process_path: 'C:\\Windows\\System32\\winlogon.exe', - pid: 3560, - ppid: 3108, - process_name: 'userinit.exe', - process_path: 'C:\\Windows\\System32\\userinit.exe', - serial_event_id: 18833, - sha1: '47267f943f060e36604d56c8895a6eece063d9a1', - sha256: '11c194d9adce90027272c627d7fbf3ba5025ff0f7b26a8333f764e11e1382cf9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18645, - timestamp: 132137681981287504, - timestamp_utc: '2019-09-24 03:09:58Z', - unique_pid: 18833, - unique_ppid: 18645, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137681981287504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - _descendant_count: 0, - authentication_id: 4904488, - command_line: 'C:\\Windows\\Explorer.EXE', - depth: 0, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 18943, - opcode: 1, - origin: true, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'userinit.exe', - parent_process_path: 'C:\\Windows\\System32\\userinit.exe', - pid: 1808, - ppid: 3560, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 18943, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18833, - timestamp: 132137681985655504, - timestamp_utc: '2019-09-24 03:09:58Z', - unique_pid: 18943, - unique_ppid: 18833, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137681985655504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe" -n vmusr', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: '8dc5ad50587b936f7f616738112bfd2a', - node_id: 19545, - opcode: 1, - original_file_name: 'vmtoolsd.exe', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3596, - ppid: 1808, - process_name: 'vmtoolsd.exe', - process_path: 'C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe', - serial_event_id: 19545, - sha1: '04479ea30943ec471a6a5ca4c0dc74b5ff496e9f', - sha256: 'd6d9f041da6f724bf69f48bbee3bf41295a0ed4dca715b1908c5f35bc8034d53', - signature_signer: 'VMware, Inc.', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137681999539504, - timestamp_utc: '2019-09-24 03:09:59Z', - unique_pid: 19545, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137681999539504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - depth: 0, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: 'bafe84e637bf7388c96ef48d4d3fdd53', - node_id: 20261, - opcode: 2, - original_file_name: 'USERINIT.EXE', - parent_process_name: 'winlogon.exe', - parent_process_path: 'C:\\Windows\\System32\\winlogon.exe', - pid: 3560, - ppid: 3108, - process_name: 'userinit.exe', - process_path: 'C:\\Windows\\System32\\userinit.exe', - serial_event_id: 20261, - sha1: '47267f943f060e36604d56c8895a6eece063d9a1', - sha256: '11c194d9adce90027272c627d7fbf3ba5025ff0f7b26a8333f764e11e1382cf9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18833, - timestamp: 132137682277819504, - timestamp_utc: '2019-09-24 03:10:27Z', - unique_pid: 18833, - unique_ppid: 18645, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137682277819504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Windows\\explorer.exe" ', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 20303, - opcode: 1, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3124, - ppid: 1808, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 20303, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137682603979504, - timestamp_utc: '2019-09-24 03:11:00Z', - unique_pid: 20303, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137682603979504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: '310624aa-bb2b-442b-a6c9-3284148b0ae3', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 1, - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 20310, - opcode: 2, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3124, - ppid: 1808, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 20310, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 20303, - timestamp: 132137682604229504, - timestamp_utc: '2019-09-24 03:11:00Z', - unique_pid: 20303, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137682604229504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Windows\\explorer.exe" ', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 20455, - opcode: 1, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3084, - ppid: 1808, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 20455, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137682773669504, - timestamp_utc: '2019-09-24 03:11:17Z', - unique_pid: 20455, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137682773669504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 1, - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 20462, - opcode: 2, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3084, - ppid: 1808, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 20462, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 20455, - timestamp: 132137682774259504, - timestamp_utc: '2019-09-24 03:11:17Z', - unique_pid: 20455, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137682774259504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Windows\\System32\\cmd.exe" ', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: '5746bd7e255dd6a8afa06f7c42c1ba41', - node_id: 21120, - opcode: 1, - original_file_name: 'Cmd.Exe', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3280, - ppid: 1808, - process_name: 'cmd.exe', - process_path: 'C:\\Windows\\System32\\cmd.exe', - serial_event_id: 21120, - sha1: '0f3c4ff28f354aede202d54e9d1c5529a3bf87d8', - sha256: 'db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137682997939504, - timestamp_utc: '2019-09-24 03:11:39Z', - unique_pid: 21120, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137682997939504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Windows\\explorer.exe" ', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 21166, - opcode: 1, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3548, - ppid: 1808, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 21166, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137683166079504, - timestamp_utc: '2019-09-24 03:11:56Z', - unique_pid: 21166, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683166079504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 1, - md5: 'ac4c51eb24aa95b77f705ab159189e24', - node_id: 21173, - opcode: 2, - original_file_name: 'EXPLORER.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3548, - ppid: 1808, - process_name: 'explorer.exe', - process_path: 'C:\\Windows\\explorer.exe', - serial_event_id: 21173, - sha1: '4583daf9442880204730fb2c8a060430640494b1', - sha256: '6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 21166, - timestamp: 132137683166729504, - timestamp_utc: '2019-09-24 03:11:56Z', - unique_pid: 21166, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683166729504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Python27\\python.exe" "C:\\tmp\\dns.py" ', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: '743b91619fbfee3c3e173ba5a17b1290', - node_id: 21480, - opcode: 1, - original_file_name: '', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 4060, - ppid: 1808, - process_name: 'python.exe', - process_path: 'C:\\Python27\\python.exe', - serial_event_id: 21480, - sha1: 'edabcf58d55a5e462f7a368d99616e3ac051c620', - sha256: '45b9384b852d850327e194ac86d84aed8916a3c13fc8f49ca54fddcbca4f7e32', - signature_signer: '', - signature_status: 'noSignature', - source_id: 18943, - timestamp: 132137683493349504, - timestamp_utc: '2019-09-24 03:12:29Z', - unique_pid: 21480, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683493349504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: '743b91619fbfee3c3e173ba5a17b1290', - node_id: 21500, - opcode: 2, - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 4060, - ppid: 1808, - process_name: 'python.exe', - process_path: 'C:\\Python27\\python.exe', - serial_event_id: 21500, - sha1: 'edabcf58d55a5e462f7a368d99616e3ac051c620', - sha256: '45b9384b852d850327e194ac86d84aed8916a3c13fc8f49ca54fddcbca4f7e32', - signature_status: 'noSignature', - source_id: 21480, - timestamp: 132137683493889504, - timestamp_utc: '2019-09-24 03:12:29Z', - unique_pid: 21480, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683493889504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Python27\\python.exe" "C:\\tmp\\dns.py" ', - depth: 2, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: '743b91619fbfee3c3e173ba5a17b1290', - node_id: 21539, - opcode: 1, - original_file_name: '', - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 2888, - ppid: 3280, - process_name: 'python.exe', - process_path: 'C:\\Python27\\python.exe', - serial_event_id: 21539, - sha1: 'edabcf58d55a5e462f7a368d99616e3ac051c620', - sha256: '45b9384b852d850327e194ac86d84aed8916a3c13fc8f49ca54fddcbca4f7e32', - signature_signer: '', - signature_status: 'noSignature', - source_id: 21120, - timestamp: 132137683555889504, - timestamp_utc: '2019-09-24 03:12:35Z', - unique_pid: 21539, - unique_ppid: 21120, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683555889504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 3, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: '743b91619fbfee3c3e173ba5a17b1290', - node_id: 21540, - opcode: 2, - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 2888, - ppid: 3280, - process_name: 'python.exe', - process_path: 'C:\\Python27\\python.exe', - serial_event_id: 21540, - sha1: 'edabcf58d55a5e462f7a368d99616e3ac051c620', - sha256: '45b9384b852d850327e194ac86d84aed8916a3c13fc8f49ca54fddcbca4f7e32', - signature_status: 'noSignature', - source_id: 21539, - timestamp: 132137683556159504, - timestamp_utc: '2019-09-24 03:12:35Z', - unique_pid: 21539, - unique_ppid: 21120, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683556159504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - depth: 2, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'c29675ce0750f73225bf05d03080dfb2', - node_id: 21634, - opcode: 1, - original_file_name: '', - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 3996, - ppid: 3280, - process_name: 'fakenet.exe', - process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - serial_event_id: 21634, - sha1: 'b14763ef982450551bcb09f6e0ecc75d2b9684fb', - sha256: '948f1c024118e434b6867ea593bb180212d35f9d2a9401892903ef22841fb303', - signature_signer: '', - signature_status: 'noSignature', - source_id: 21120, - timestamp: 132137683921669504, - timestamp_utc: '2019-09-24 03:13:12Z', - unique_pid: 21634, - unique_ppid: 21120, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683921669504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - depth: 3, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'c29675ce0750f73225bf05d03080dfb2', - node_id: 21669, - opcode: 1, - original_file_name: '', - parent_process_name: 'fakenet.exe', - parent_process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - pid: 184, - ppid: 3996, - process_name: 'fakenet.exe', - process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - serial_event_id: 21669, - sha1: 'b14763ef982450551bcb09f6e0ecc75d2b9684fb', - sha256: '948f1c024118e434b6867ea593bb180212d35f9d2a9401892903ef22841fb303', - signature_signer: '', - signature_status: 'noSignature', - source_id: 21634, - timestamp: 132137683923819504, - timestamp_utc: '2019-09-24 03:13:12Z', - unique_pid: 21669, - unique_ppid: 21634, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683923819504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 4, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 1, - md5: 'c29675ce0750f73225bf05d03080dfb2', - node_id: 21679, - opcode: 2, - parent_process_name: 'fakenet.exe', - parent_process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - pid: 184, - ppid: 3996, - process_name: 'fakenet.exe', - process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - serial_event_id: 21679, - sha1: 'b14763ef982450551bcb09f6e0ecc75d2b9684fb', - sha256: '948f1c024118e434b6867ea593bb180212d35f9d2a9401892903ef22841fb303', - signature_status: 'noSignature', - source_id: 21669, - timestamp: 132137683931089504, - timestamp_utc: '2019-09-24 03:13:13Z', - unique_pid: 21669, - unique_ppid: 21634, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683931089504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 3, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 1, - md5: 'c29675ce0750f73225bf05d03080dfb2', - node_id: 21694, - opcode: 2, - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 3996, - ppid: 3280, - process_name: 'fakenet.exe', - process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - serial_event_id: 21694, - sha1: 'b14763ef982450551bcb09f6e0ecc75d2b9684fb', - sha256: '948f1c024118e434b6867ea593bb180212d35f9d2a9401892903ef22841fb303', - signature_status: 'noSignature', - source_id: 21634, - timestamp: 132137683931569504, - timestamp_utc: '2019-09-24 03:13:13Z', - unique_pid: 21634, - unique_ppid: 21120, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137683931569504, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: - '"C:\\Windows\\system32\\NOTEPAD.EXE" C:\\tmp\\fakenet1.4.3\\configs\\default.ini', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'f2c7bb8acc97f92e987a2d4087d021b1', - node_id: 21769, - opcode: 1, - original_file_name: 'NOTEPAD.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 2492, - ppid: 1808, - process_name: 'notepad.exe', - process_path: 'C:\\Windows\\System32\\notepad.exe', - serial_event_id: 21769, - sha1: '7eb0139d2175739b3ccb0d1110067820be6abd29', - sha256: '142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137684112851830, - timestamp_utc: '2019-09-24 03:13:31Z', - unique_pid: 21769, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137684112851830, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: 'f2c7bb8acc97f92e987a2d4087d021b1', - node_id: 21794, - opcode: 2, - original_file_name: 'NOTEPAD.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 2492, - ppid: 1808, - process_name: 'notepad.exe', - process_path: 'C:\\Windows\\System32\\notepad.exe', - serial_event_id: 21794, - sha1: '7eb0139d2175739b3ccb0d1110067820be6abd29', - sha256: '142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 21769, - timestamp: 132137684131573702, - timestamp_utc: '2019-09-24 03:13:33Z', - unique_pid: 21769, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137684131573702, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: 'fakenet.exe', - depth: 2, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'c29675ce0750f73225bf05d03080dfb2', - node_id: 21890, - opcode: 1, - original_file_name: '', - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 1060, - ppid: 3280, - process_name: 'fakenet.exe', - process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - serial_event_id: 21890, - sha1: 'b14763ef982450551bcb09f6e0ecc75d2b9684fb', - sha256: '948f1c024118e434b6867ea593bb180212d35f9d2a9401892903ef22841fb303', - signature_signer: '', - signature_status: 'noSignature', - source_id: 21120, - timestamp: 132137684579848525, - timestamp_utc: '2019-09-24 03:14:17Z', - unique_pid: 21890, - unique_ppid: 21120, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137684579848525, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: 'fakenet.exe', - depth: 3, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'c29675ce0750f73225bf05d03080dfb2', - node_id: 21924, - opcode: 1, - original_file_name: '', - parent_process_name: 'fakenet.exe', - parent_process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - pid: 4024, - ppid: 1060, - process_name: 'fakenet.exe', - process_path: 'C:\\tmp\\fakenet1.4.3\\fakenet.exe', - serial_event_id: 21924, - sha1: 'b14763ef982450551bcb09f6e0ecc75d2b9684fb', - sha256: '948f1c024118e434b6867ea593bb180212d35f9d2a9401892903ef22841fb303', - signature_signer: '', - signature_status: 'noSignature', - source_id: 21890, - timestamp: 132137684580468587, - timestamp_utc: '2019-09-24 03:14:18Z', - unique_pid: 21924, - unique_ppid: 21890, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137684580468587, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Windows\\System32\\cmd.exe" ', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: '5746bd7e255dd6a8afa06f7c42c1ba41', - node_id: 22238, - opcode: 1, - original_file_name: 'Cmd.Exe', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 3328, - ppid: 1808, - process_name: 'cmd.exe', - process_path: 'C:\\Windows\\System32\\cmd.exe', - serial_event_id: 22238, - sha1: '0f3c4ff28f354aede202d54e9d1c5529a3bf87d8', - sha256: 'db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137684944024939, - timestamp_utc: '2019-09-24 03:14:54Z', - unique_pid: 22238, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137684944024939, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - attack_references: [ - { - tactics: ['Privilege Escalation', 'Execution', 'Persistence'], - technique_id: 'T1053', - technique_name: 'Scheduled Task', - }, - ], - authentication_id: 4904488, - command_line: 'SCHTASKS /CREATE /SC MINUTE /TN "Windiws" /TR "C:\\tmp\\scheduler.bat"', - depth: 2, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: '97e0ec3d6d99e8cc2b17ef2d3760e8fc', - node_id: 22376, - opcode: 1, - original_file_name: 'sctasks.exe', - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 2864, - ppid: 3328, - process_name: 'schtasks.exe', - process_path: 'C:\\Windows\\System32\\schtasks.exe', - serial_event_id: 22376, - sha1: 'bd9dceffbcbbc82bee5f2109bd73a57477fe1f92', - sha256: '6dce7d58ebb0d705fcb4179349c441b45e160c94e43934c5ed8fa1964e2cd031', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 22238, - timestamp: 132137685249385472, - timestamp_utc: '2019-09-24 03:15:24Z', - unique_pid: 22376, - unique_ppid: 22238, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137685249385472, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 3, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: '97e0ec3d6d99e8cc2b17ef2d3760e8fc', - node_id: 22384, - opcode: 2, - original_file_name: 'sctasks.exe', - parent_process_name: 'cmd.exe', - parent_process_path: 'C:\\Windows\\System32\\cmd.exe', - pid: 2864, - ppid: 3328, - process_name: 'schtasks.exe', - process_path: 'C:\\Windows\\System32\\schtasks.exe', - serial_event_id: 22384, - sha1: 'bd9dceffbcbbc82bee5f2109bd73a57477fe1f92', - sha256: '6dce7d58ebb0d705fcb4179349c441b45e160c94e43934c5ed8fa1964e2cd031', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 22376, - timestamp: 132137685251515685, - timestamp_utc: '2019-09-24 03:15:25Z', - unique_pid: 22376, - unique_ppid: 22238, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137685251515685, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - authentication_id: 4904488, - command_line: '"C:\\Windows\\System32\\NOTEPAD.EXE" C:\\tmp\\scheduler.bat', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'f2c7bb8acc97f92e987a2d4087d021b1', - node_id: 22448, - opcode: 1, - original_file_name: 'NOTEPAD.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 4048, - ppid: 1808, - process_name: 'notepad.exe', - process_path: 'C:\\Windows\\System32\\notepad.exe', - serial_event_id: 22448, - sha1: '7eb0139d2175739b3ccb0d1110067820be6abd29', - sha256: '142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137685448755407, - timestamp_utc: '2019-09-24 03:15:44Z', - unique_pid: 22448, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137685448755407, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: 'f2c7bb8acc97f92e987a2d4087d021b1', - node_id: 22464, - opcode: 2, - original_file_name: 'NOTEPAD.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 4048, - ppid: 1808, - process_name: 'notepad.exe', - process_path: 'C:\\Windows\\System32\\notepad.exe', - serial_event_id: 22464, - sha1: '7eb0139d2175739b3ccb0d1110067820be6abd29', - sha256: '142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 22448, - timestamp: 132137685516752206, - timestamp_utc: '2019-09-24 03:15:51Z', - unique_pid: 22448, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137685516752206, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - attack_references: [ - { - tactics: ['Execution'], - technique_id: 'T1085', - technique_name: 'Rundll32', - }, - ], - authentication_id: 4904488, - command_line: - '"C:\\Windows\\system32\\rundll32.exe" C:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL C:\\tmp\\XLS_no_email_Upcoming Events February 2018.xls\\cb85072e6ca66a29cb0b73659a0fe5ba2456d9ba0b52e3a4c89e86549bc6e2c7.xls', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'dd81d91ff3b0763c392422865c9ac12e', - node_id: 22799, - opcode: 1, - original_file_name: 'RUNDLL32.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 2864, - ppid: 1808, - process_name: 'rundll32.exe', - process_path: 'C:\\Windows\\System32\\rundll32.exe', - serial_event_id: 22799, - sha1: '963b55acc8c566876364716d5aafa353995812a8', - sha256: 'f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137686572217742, - timestamp_utc: '2019-09-24 03:17:37Z', - unique_pid: 22799, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137686572217742, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: 'dd81d91ff3b0763c392422865c9ac12e', - node_id: 22805, - opcode: 2, - original_file_name: 'RUNDLL32.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 2864, - ppid: 1808, - process_name: 'rundll32.exe', - process_path: 'C:\\Windows\\System32\\rundll32.exe', - serial_event_id: 22805, - sha1: '963b55acc8c566876364716d5aafa353995812a8', - sha256: 'f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 22799, - timestamp: 132137686585839104, - timestamp_utc: '2019-09-24 03:17:38Z', - unique_pid: 22799, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137686585839104, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - attack_references: [ - { - tactics: ['Execution'], - technique_id: 'T1085', - technique_name: 'Rundll32', - }, - ], - authentication_id: 4904488, - command_line: - '"C:\\Windows\\system32\\rundll32.exe" C:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL C:\\tmp\\Upcoming Defense events February 2018.eml', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'dd81d91ff3b0763c392422865c9ac12e', - node_id: 22933, - opcode: 1, - original_file_name: 'RUNDLL32.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 1864, - ppid: 1808, - process_name: 'rundll32.exe', - process_path: 'C:\\Windows\\System32\\rundll32.exe', - serial_event_id: 22933, - sha1: '963b55acc8c566876364716d5aafa353995812a8', - sha256: 'f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137686702740793, - timestamp_utc: '2019-09-24 03:17:50Z', - unique_pid: 22933, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137686702740793, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: 'dd81d91ff3b0763c392422865c9ac12e', - node_id: 22945, - opcode: 2, - original_file_name: 'RUNDLL32.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 1864, - ppid: 1808, - process_name: 'rundll32.exe', - process_path: 'C:\\Windows\\System32\\rundll32.exe', - serial_event_id: 22945, - sha1: '963b55acc8c566876364716d5aafa353995812a8', - sha256: 'f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 22933, - timestamp: 132137686718432362, - timestamp_utc: '2019-09-24 03:17:51Z', - unique_pid: 22933, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137686718432362, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - attack_references: [ - { - tactics: ['Execution'], - technique_id: 'T1085', - technique_name: 'Rundll32', - }, - ], - authentication_id: 4904488, - command_line: - '"C:\\Windows\\system32\\rundll32.exe" C:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Mail Recipient.MAPIMail', - depth: 1, - elevated: true, - elevation_type: 'default', - event_subtype_full: 'creation_event', - event_type_full: 'process_event', - integrity_level: 'high', - md5: 'dd81d91ff3b0763c392422865c9ac12e', - node_id: 27050, - opcode: 1, - original_file_name: 'RUNDLL32.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 568, - ppid: 1808, - process_name: 'rundll32.exe', - process_path: 'C:\\Windows\\System32\\rundll32.exe', - serial_event_id: 27050, - sha1: '963b55acc8c566876364716d5aafa353995812a8', - sha256: 'f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 18943, - timestamp: 132137686926723189, - timestamp_utc: '2019-09-24 03:18:12Z', - unique_pid: 27050, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137686926723189, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - { - collection_id: 'f287067d-3ec7-4d5a-b6de-ea1415bc5e56', - data_buffer: { - depth: 2, - event_subtype_full: 'termination_event', - event_type_full: 'process_event', - exit_code: 0, - md5: 'dd81d91ff3b0763c392422865c9ac12e', - node_id: 27053, - opcode: 2, - original_file_name: 'RUNDLL32.EXE', - parent_process_name: 'explorer.exe', - parent_process_path: 'C:\\Windows\\explorer.exe', - pid: 568, - ppid: 1808, - process_name: 'rundll32.exe', - process_path: 'C:\\Windows\\System32\\rundll32.exe', - serial_event_id: 27053, - sha1: '963b55acc8c566876364716d5aafa353995812a8', - sha256: 'f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9', - signature_signer: 'Microsoft Windows', - signature_status: 'trusted', - source_id: 27050, - timestamp: 132137686939784495, - timestamp_utc: '2019-09-24 03:18:13Z', - unique_pid: 27050, - unique_ppid: 18943, - user_domain: 'ENDPOINT-W-1-07', - user_name: 'vagrant', - user_sid: 'S-1-5-21-3883902650-1642591343-2485142877-1001', - }, - event_timestamp: 132137686939784495, - event_type: 4, - machine_id: '7f1660dc-2c12-ce99-71b8-1ef862aeec34', - serial_event_id: 0, - }, - ], - status: 'success', - task_id: '2bed7d8b-72b1-4650-882c-5167a2fe1735', - total_events_searched: 7730, - type: 'eventLoggingSearchResponse', - }, - }, - metadata: { - count: 39, - next: null, - next_url: null, - per_page: '4000', - previous_url: null, - timestamp: '2019-12-18T19:31:27.565110', - }, -}; - -export const sampleData: ProcessEventSampleData = rawData as ProcessEventSampleData;