diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 22525ff9fb5..ad054868fb8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -63,6 +63,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Add support to Sysmon file delete events (event ID 23). {issue}18094[18094] +- Improve ECS field mappings in Sysmon module. `related.hash`, `related.ip`, and `related.user` are now populated. {issue}18364[18364] +- Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364] +- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364] +- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364] *Functionbeat* diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 8eea4b8a558..f7dac99a4e8 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -332,10 +332,21 @@ var sysmon = (function () { evt.Delete("user"); evt.Put("user.domain", userParts[0]); evt.Put("user.name", userParts[1]); + evt.AppendTo("related.user", userParts[1]); evt.Delete("winlog.event_data.User"); } }; + var setRuleName = function (evt) { + var ruleName = evt.Get("winlog.event_data.RuleName"); + if (!ruleName || ruleName === "-") { + return; + } + + evt.Put("rule.name", ruleName); + evt.Delete("winlog.event_data.RuleName"); + }; + var addNetworkDirection = function (evt) { switch (evt.Get("winlog.event_data.Initiated")) { case "true": @@ -361,7 +372,39 @@ var sysmon = (function () { evt.Delete("winlog.event_data.DestinationIsIpv6"); }; - var addHashes = function (evt, hashField) { + var setRelatedIP = function (evt) { + var sourceIP = evt.Get("source.ip"); + if (sourceIP) { + evt.AppendTo("related.ip", sourceIP); + } + + var destIP = evt.Get("destination.ip"); + if (destIP) { + evt.AppendTo("related.ip", destIP); + } + }; + + var getHashPath = function (namespace, hashKey) { + if (hashKey === "imphash") { + return namespace + ".pe.imphash"; + } + + return namespace + ".hash." + hashKey; + }; + + var emptyHashRegex = /^0*$/; + + var hashIsEmpty = function (value) { + if (!value) { + return true; + } + + return emptyHashRegex.test(value); + } + + // Adds hashes from the given hashField in the event to the 'hash' key + // in the specified namespace. It also adds all the hashes to 'related.hash'. + var addHashes = function (evt, namespace, hashField) { var hashes = evt.Get(hashField); evt.Delete(hashField); hashes.split(",").forEach(function (hash) { @@ -372,16 +415,31 @@ var sysmon = (function () { var key = parts[0].toLowerCase(); var value = parts[1].toLowerCase(); + + if (hashIsEmpty(value)) { + return; + } + + var path = getHashPath(namespace, key); + + evt.Put(path, value); + evt.AppendTo("related.hash", value); + + // TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364). evt.Put("hash." + key, value); }); }; - var splitHashes = function (evt) { - addHashes(evt, "winlog.event_data.Hashes"); + var splitFileHashes = function (evt) { + addHashes(evt, "file", "winlog.event_data.Hashes"); }; - var splitHash = function (evt) { - addHashes(evt, "winlog.event_data.Hash"); + var splitFileHash = function (evt) { + addHashes(evt, "file", "winlog.event_data.Hash"); + }; + + var splitProcessHashes = function (evt) { + addHashes(evt, "process", "winlog.event_data.Hashes"); }; var removeEmptyEventData = function (evt) { @@ -477,6 +535,28 @@ var sysmon = (function () { evt.Put("file.code_signature.valid", signatureStatus === "Valid"); }; + var setAdditionalFileFieldsFromPath = function (evt) { + var filePath = evt.Get("file.path"); + if (!filePath) { + return; + } + + evt.Put("file.name", path.basename(filePath)); + evt.Put("file.directory", path.dirname(filePath)); + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(filePath); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + // https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives var commonRegistryHives = { HKEY_CLASSES_ROOT: "HKCR", @@ -606,10 +686,11 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(splitProcessArgs) .Add(addUser) - .Add(splitHashes) + .Add(splitProcessHashes) .Add(setParentProcessNameUsingExe) .Add(splitParentProcessArgs) .Add(removeEmptyEventData) @@ -652,6 +733,8 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) + .Add(setAdditionalFileFieldsFromPath) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -727,6 +810,8 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) + .Add(setRelatedIP) .Add(setProcessNameUsingExe) .Add(addUser) .Add(addNetworkDirection) @@ -792,6 +877,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -833,8 +919,10 @@ var sysmon = (function () { ], fail_on_error: false, }) + .Add(setRuleName) + .Add(setAdditionalFileFieldsFromPath) .Add(setAdditionalSignatureFields) - .Add(splitHashes) + .Add(splitFileHashes) .Add(removeEmptyEventData) .Build(); @@ -888,9 +976,11 @@ var sysmon = (function () { ], fail_on_error: false, }) + .Add(setRuleName) + .Add(setAdditionalFileFieldsFromPath) .Add(setAdditionalSignatureFields) .Add(setProcessNameUsingExe) - .Add(splitHashes) + .Add(splitFileHashes) .Add(removeEmptyEventData) .Build(); @@ -921,6 +1011,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -956,6 +1047,8 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) + .Add(setAdditionalFileFieldsFromPath) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -998,6 +1091,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -1039,6 +1133,8 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) + .Add(setAdditionalFileFieldsFromPath) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -1070,6 +1166,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) @@ -1102,6 +1199,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) @@ -1134,6 +1232,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setRegistryFields) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) @@ -1176,8 +1275,10 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) + .Add(setAdditionalFileFieldsFromPath) .Add(setProcessNameUsingExe) - .Add(splitHash) + .Add(splitFileHash) .Add(removeEmptyEventData) .Build(); @@ -1235,6 +1336,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -1276,6 +1378,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) .Build(); @@ -1294,6 +1397,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(addUser) .Add(removeEmptyEventData) .Build(); @@ -1316,6 +1420,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(addUser) .Add(setProcessNameUsingExe) .Add(removeEmptyEventData) @@ -1335,6 +1440,7 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(addUser) .Add(removeEmptyEventData) .Build(); @@ -1389,6 +1495,7 @@ var sysmon = (function () { field: "dns.question.name", target_field: "dns.question.registered_domain", }) + .Add(setRuleName) .Add(translateDnsQueryStatus) .Add(splitDnsQueryResults) .Add(setProcessNameUsingExe) @@ -1425,7 +1532,7 @@ var sysmon = (function () { }, { from: "winlog.event_data.TargetFilename", - to: "file.name", + to: "file.path", }, { from: "winlog.event_data.Image", @@ -1446,9 +1553,11 @@ var sysmon = (function () { ignore_missing: true, fail_on_error: false, }) + .Add(setRuleName) .Add(addUser) - .Add(splitHashes) + .Add(splitProcessHashes) .Add(setProcessNameUsingExe) + .Add(setAdditionalFileFieldsFromPath) .Add(removeEmptyEventData) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx index 4258ea01dd7..d3a5da13484 100644 Binary files a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx and b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx differ diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index 1e36d89016c..31c7d0a7a26 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -1,4 +1,93 @@ [ + { + "@timestamp": "2020-05-07T08:14:44.489Z", + "event": { + "code": 23, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "deletion" + ] + } + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001", + "extension": "exe", + "name": "test.test.exe", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" + }, + "hash": { + "imphash": "d90d8c7812aec8da0fa173afa1293ab2", + "md5": "199e1cf5b2250bd515ecccf4ca686301" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", + "hash": { + "md5": "199e1cf5b2250bd515ecccf4ca686301" + }, + "name": "go.exe", + "pe": { + "imphash": "d90d8c7812aec8da0fa173afa1293ab2" + }, + "pid": 2184 + }, + "related": { + "hash": [ + "199e1cf5b2250bd515ecccf4ca686301", + "d90d8c7812aec8da0fa173afa1293ab2" + ], + "user": "vagrant" + }, + "rule": { + "name": "-" + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": true + } + }, + "user": { + "domain": "VAGRANT-2012-R2", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 23, + "process": { + "pid": 664, + "thread": { + "id": 2360 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 612, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, { "@timestamp": "2020-05-07T07:27:18.722Z", "event": { @@ -18,7 +107,10 @@ } }, "file": { - "name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local", + "extension": "dat", + "name": "lastalive0.dat", + "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" }, "hash": { "sha1": "115106f5b338c87ae6836d50dd890de3da296367" @@ -32,9 +124,16 @@ "process": { "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha1": "115106f5b338c87ae6836d50dd890de3da296367" + }, "name": "svchost.exe", "pid": 776 }, + "related": { + "hash": "115106f5b338c87ae6836d50dd890de3da296367", + "user": "LOCAL SERVICE" + }, "rule": { "name": "-" }, @@ -70,5 +169,86 @@ }, "version": 5 } + }, + { + "@timestamp": "2020-05-12T06:48:27.084Z", + "event": { + "code": 23, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "deletion" + ] + } + }, + "file": { + "directory": "C:\\Windows\\System32\\LogFiles\\Scm", + "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", + "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" + }, + "hash": { + "md5": "5a9bddf83be530b481f0fd24db28a6ff" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "md5": "5a9bddf83be530b481f0fd24db28a6ff" + }, + "name": "svchost.exe", + "pid": 820 + }, + "related": { + "hash": "5a9bddf83be530b481f0fd24db28a6ff", + "user": "SYSTEM" + }, + "rule": { + "name": "-" + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 23, + "process": { + "pid": 1188, + "thread": { + "id": 1600 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 2243, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } } ] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index 3608a7889ed..cddd6776a82 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -119,6 +119,9 @@ "command_line": "C:\\Windows\\Sysmon.exe", "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", "executable": "C:\\Windows\\Sysmon.exe", + "hash": { + "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + }, "name": "Sysmon.exe", "parent": { "args": [ @@ -133,6 +136,10 @@ "pid": 4860, "working_directory": "C:\\Windows\\system32\\" }, + "related": { + "hash": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e", + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM" @@ -202,6 +209,9 @@ "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", + "hash": { + "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" + }, "name": "unsecapp.exe", "parent": { "args": [ @@ -218,6 +228,10 @@ "pid": 5028, "working_directory": "C:\\Windows\\system32\\" }, + "related": { + "hash": "6df8163a6320b80b60733f9d62e2f39b4b16b678", + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM" @@ -387,6 +401,9 @@ "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "hash": { + "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + }, "name": "WmiPrvSE.exe", "parent": { "args": [ @@ -403,6 +420,10 @@ "pid": 4508, "working_directory": "C:\\Windows\\system32\\" }, + "related": { + "hash": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21", + "user": "SYSTEM" + }, "user": { "domain": "NT AUTHORITY", "name": "SYSTEM" @@ -483,6 +504,13 @@ "name": "svchost.exe", "pid": 924 }, + "related": { + "ip": [ + "a00:20f:0:0:18a2:6e00:e0:ffff", + "a00:203:3000:3000:3000:3000:3000:3300" + ], + "user": "NETWORK SERVICE" + }, "source": { "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", "port": 62141 @@ -557,6 +585,13 @@ "name": "svchost.exe", "pid": 924 }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "user": "NETWORK SERVICE" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -632,6 +667,13 @@ "name": "chrome.exe", "pid": 1600 }, + "related": { + "ip": [ + "10.0.2.15", + "40.77.226.250" + ], + "user": "vagrant" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -707,6 +749,13 @@ "name": "chrome.exe", "pid": 1600 }, + "related": { + "ip": [ + "10.0.2.15", + "40.77.226.250" + ], + "user": "vagrant" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -782,6 +831,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.255" + ], + "user": "SYSTEM" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -861,6 +917,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "10.0.2.255", + "10.0.2.15" + ], + "user": "SYSTEM" + }, "source": { "ip": "10.0.2.255", "port": 137 @@ -938,6 +1001,13 @@ "name": "svchost.exe", "pid": 924 }, + "related": { + "ip": [ + "fe80:0:0:0:e488:b85c:5262:ff86", + "ff02:0:0:0:0:0:1:3" + ], + "user": "NETWORK SERVICE" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "fe80:0:0:0:e488:b85c:5262:ff86", @@ -1013,6 +1083,13 @@ "name": "svchost.exe", "pid": 924 }, + "related": { + "ip": [ + "a00:20f:0:0:18a2:6e00:e0:ffff", + "e000:fc:4300:6800:7200:6f00:6d00:6500" + ], + "user": "NETWORK SERVICE" + }, "source": { "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", "port": 55542 @@ -1087,6 +1164,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "169.254.180.25", + "169.254.255.255" + ], + "user": "SYSTEM" + }, "source": { "ip": "169.254.180.25", "port": 137 @@ -1164,6 +1248,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "169.254.255.255", + "169.254.180.25" + ], + "user": "SYSTEM" + }, "source": { "ip": "169.254.255.255", "port": 137 @@ -1241,6 +1332,13 @@ "name": "svchost.exe", "pid": 924 }, + "related": { + "ip": [ + "fe80:0:0:0:616f:32fa:b04f:b419", + "ff02:0:0:0:0:0:1:3" + ], + "user": "NETWORK SERVICE" + }, "source": { "ip": "fe80:0:0:0:616f:32fa:b04f:b419", "port": 55717 @@ -1315,6 +1413,13 @@ "name": "svchost.exe", "pid": 924 }, + "related": { + "ip": [ + "a9fe:b419:0:0:f880:2301:e0:ffff", + "e000:fc:0:0:0:0:0:0" + ], + "user": "NETWORK SERVICE" + }, "source": { "ip": "a9fe:b419:0:0:f880:2301:e0:ffff", "port": 55717 @@ -1389,6 +1494,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "10.0.2.15", + "40.77.226.250" + ], + "user": "SYSTEM" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -1467,6 +1579,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "user": "SYSTEM" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -1545,6 +1664,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "10.0.2.15", + "169.254.255.255" + ], + "user": "SYSTEM" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -1623,6 +1749,13 @@ "name": "System", "pid": 4 }, + "related": { + "ip": [ + "10.0.2.15", + "169.254.180.25" + ], + "user": "SYSTEM" + }, "source": { "domain": "vagrant-2012-r2.local.crowbird.com", "ip": "10.0.2.15", @@ -1777,6 +1910,9 @@ } }, "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" }, "host": { @@ -1837,6 +1973,9 @@ } }, "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" }, "host": { @@ -1897,6 +2036,9 @@ } }, "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" }, "host": { @@ -1957,6 +2099,9 @@ } }, "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" }, "host": { @@ -2067,6 +2212,9 @@ } }, "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def", + "extension": "tmp", + "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" }, "host": { @@ -2127,6 +2275,9 @@ } }, "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def", + "extension": "tmp", + "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" }, "host": {