diff --git a/internal/benchrunner/runners/system/report.go b/internal/benchrunner/runners/system/report.go index 65b68d5dfd..b86b323c24 100644 --- a/internal/benchrunner/runners/system/report.go +++ b/internal/benchrunner/runners/system/report.go @@ -16,6 +16,7 @@ import ( "github.com/elastic/elastic-package/internal/benchrunner/reporters" "github.com/elastic/elastic-package/internal/elasticsearch/ingest" + "github.com/elastic/elastic-package/internal/packages" ) type report struct { @@ -31,6 +32,7 @@ type report struct { } Parameters struct { PackageVersion string + Deployer string Input string Vars map[string]interface{} DataStream dataStream @@ -47,8 +49,8 @@ type report struct { TotalHits int } -func createReport(benchName, corporaFile string, s *scenario, sum *metricsSummary) (reporters.Reportable, error) { - r := newReport(benchName, corporaFile, s, sum) +func createReport(benchName, corporaFile string, s *scenario, sum *metricsSummary, secretVarNames map[string]bool) (reporters.Reportable, error) { + r := newReport(benchName, corporaFile, s, sum, secretVarNames) human := reporters.NewReport(s.Package, reportHumanFormat(r)) jsonBytes, err := reportJSONFormat(r) @@ -63,7 +65,7 @@ func createReport(benchName, corporaFile string, s *scenario, sum *metricsSummar return mr, nil } -func newReport(benchName, corporaFile string, s *scenario, sum *metricsSummary) *report { +func newReport(benchName, corporaFile string, s *scenario, sum *metricsSummary, secretVarNames map[string]bool) *report { var report report report.Info.Benchmark = benchName report.Info.Description = s.Description @@ -74,9 +76,13 @@ func newReport(benchName, corporaFile string, s *scenario, sum *metricsSummary) report.Info.Duration = time.Duration(sum.CollectionEndTs-sum.CollectionStartTs) * time.Second report.Info.GeneratedCorporaFile = corporaFile report.Parameters.PackageVersion = s.Version + report.Parameters.Deployer = s.Deployer report.Parameters.Input = s.Input - report.Parameters.Vars = s.Vars - report.Parameters.DataStream = s.DataStream + report.Parameters.Vars = maskSecretVars(s.Vars, secretVarNames) + report.Parameters.DataStream = dataStream{ + Name: s.DataStream.Name, + Vars: maskSecretVars(s.DataStream.Vars, secretVarNames), + } report.Parameters.WarmupTimePeriod = s.WarmupTimePeriod report.Parameters.BenchmarkTimePeriod = s.BenchmarkTimePeriod report.Parameters.WaitForDataTimeout = *s.WaitForDataTimeout @@ -114,6 +120,7 @@ func reportHumanFormat(r *report) []byte { pkvs := []interface{}{ "package version", r.Parameters.PackageVersion, + "deployer", r.Parameters.Deployer, "input", r.Parameters.Input, } @@ -218,6 +225,52 @@ func reportHumanFormat(r *report) []byte { return []byte(report.String()) } +func collectSecretVarNames(pkgManifest *packages.PackageManifest, dsManifest *packages.DataStreamManifest) map[string]bool { + secrets := make(map[string]bool) + for _, v := range pkgManifest.Vars { + if v.Secret { + secrets[v.Name] = true + } + } + for _, pt := range pkgManifest.PolicyTemplates { + for _, input := range pt.Inputs { + for _, v := range input.Vars { + if v.Secret { + secrets[v.Name] = true + } + } + } + for _, v := range pt.Vars { + if v.Secret { + secrets[v.Name] = true + } + } + } + for _, stream := range dsManifest.Streams { + for _, v := range stream.Vars { + if v.Secret { + secrets[v.Name] = true + } + } + } + return secrets +} + +func maskSecretVars(vars map[string]interface{}, secretNames map[string]bool) map[string]interface{} { + if len(vars) == 0 || len(secretNames) == 0 { + return vars + } + masked := make(map[string]interface{}, len(vars)) + for k, v := range vars { + if secretNames[k] { + masked[k] = "xxxx" + } else { + masked[k] = v + } + } + return masked +} + func renderBenchmarkTable(title string, kv ...interface{}) string { t := table.NewWriter() t.SetStyle(table.StyleRounded) diff --git a/internal/benchrunner/runners/system/report_test.go b/internal/benchrunner/runners/system/report_test.go new file mode 100644 index 0000000000..bcf89558c4 --- /dev/null +++ b/internal/benchrunner/runners/system/report_test.go @@ -0,0 +1,78 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package system + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestMaskSecretVars(t *testing.T) { + t.Parallel() + + testCases := []struct { + name string + vars map[string]interface{} + secretNames map[string]bool + expected map[string]interface{} + }{ + { + name: "masks secret vars and preserves non-secret vars", + vars: map[string]interface{}{ + "api_key": "super-secret-value", + "host": "localhost", + "retries": 3, + "tls": true, + "namespace": "default", + }, + secretNames: map[string]bool{ + "api_key": true, + }, + expected: map[string]interface{}{ + "api_key": "xxxx", + "host": "localhost", + "retries": 3, + "tls": true, + "namespace": "default", + }, + }, + { + name: "returns vars unchanged when there are no secret names", + vars: map[string]interface{}{ + "host": "localhost", + }, + secretNames: map[string]bool{}, + expected: map[string]interface{}{ + "host": "localhost", + }, + }, + { + name: "returns empty vars map when vars are empty", + vars: map[string]interface{}{}, + secretNames: map[string]bool{ + "api_key": true, + }, + expected: map[string]interface{}{}, + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + original := make(map[string]interface{}, len(tc.vars)) + for k, v := range tc.vars { + original[k] = v + } + + actual := maskSecretVars(tc.vars, tc.secretNames) + + assert.Equal(t, tc.expected, actual) + assert.Equal(t, original, tc.vars) + }) + } +} diff --git a/internal/benchrunner/runners/system/runner.go b/internal/benchrunner/runners/system/runner.go index 016a382dcb..56e4a6091d 100644 --- a/internal/benchrunner/runners/system/runner.go +++ b/internal/benchrunner/runners/system/runner.go @@ -26,7 +26,9 @@ import ( "github.com/elastic/elastic-package/internal/benchrunner" "github.com/elastic/elastic-package/internal/benchrunner/reporters" "github.com/elastic/elastic-package/internal/benchrunner/runners/common" + pkgcommon "github.com/elastic/elastic-package/internal/common" "github.com/elastic/elastic-package/internal/configuration/locations" + "github.com/elastic/elastic-package/internal/environment" "github.com/elastic/elastic-package/internal/kibana" "github.com/elastic/elastic-package/internal/logger" "github.com/elastic/elastic-package/internal/multierror" @@ -46,6 +48,8 @@ const ( defaultNamespace = "ep" ) +var prefixServiceBenchRunIDEnv = environment.WithElasticPackagePrefix("PREFIX_SERVICE_TEST_RUN_ID") + type runner struct { options Options scenario *scenario @@ -58,7 +62,8 @@ type runner struct { mcollector *collector corporaFile string - service servicedeployer.DeployedService + service servicedeployer.DeployedService + secretVarNames map[string]bool // Execution order of following handlers is defined in runner.TearDown() method. deletePolicyHandler func(context.Context) error @@ -146,7 +151,11 @@ func (r *runner) setUp(ctx context.Context) error { serviceLogsDir := locationManager.ServiceLogDir() r.svcInfo.Logs.Folder.Local = serviceLogsDir r.svcInfo.Logs.Folder.Agent = ServiceLogsAgentDir - r.svcInfo.Test.RunID = common.NewRunID() + prefix := "" + if v, found := os.LookupEnv(prefixServiceBenchRunIDEnv); found && v != "" { + prefix = v + } + r.svcInfo.Test.RunID = pkgcommon.CreateTestRunIDWithPrefix(prefix) outputDir, err := servicedeployer.CreateOutputDir(locationManager, r.svcInfo.Test.RunID) if err != nil { @@ -154,7 +163,7 @@ func (r *runner) setUp(ctx context.Context) error { } r.svcInfo.OutputDir = outputDir - serviceName, err := r.serviceDefinedInConfig() + serviceName, deployerName, err := r.serviceDefinedInConfig() if err != nil { return fmt.Errorf("failed to determine if service is defined in config: %w", err) } @@ -163,7 +172,7 @@ func (r *runner) setUp(ctx context.Context) error { // Just in the case service deployer is needed (input_service field), setup the service now so all the // required information is available in r.svcInfo (e.g. hostname, port, etc). // This info may be needed to render the variables in the configuration. - s, err := r.setupService(ctx, serviceName) + s, err := r.setupService(ctx, serviceName, deployerName) if errors.Is(err, os.ErrNotExist) { logger.Debugf("No service deployer defined for this benchmark") } else if err != nil { @@ -179,6 +188,15 @@ func (r *runner) setUp(ctx context.Context) error { } r.scenario = scenario + // If no deployer was explicitly set in the config but a service was used, + // resolve the actual deployer name (the only one present in the deploy dir). + if serviceName != "" && r.scenario.Deployer == "" { + devDeployDir := filepath.Clean(filepath.Join(r.options.PackageRoot, r.options.BenchPath, "deploy")) + if deployers, err := servicedeployer.FindAllServiceDeployers(devDeployDir); err == nil && len(deployers) == 1 { + r.scenario.Deployer = deployers[0] + } + } + if r.scenario.Corpora.Generator != nil { var err error r.generator, err = r.initializeGenerator(ctx) @@ -221,6 +239,8 @@ func (r *runner) setUp(ctx context.Context) error { return fmt.Errorf("reading data stream manifest failed: %w", err) } + r.secretVarNames = collectSecretVarNames(pkgManifest, dataStreamManifest) + r.runtimeDataStream = fmt.Sprintf( "%s-%s.%s-%s", dataStreamManifest.Type, @@ -263,19 +283,19 @@ func (r *runner) setUp(ctx context.Context) error { return nil } -func (r *runner) serviceDefinedInConfig() (string, error) { +func (r *runner) serviceDefinedInConfig() (string, string, error) { // Read of the configuration to know if a service deployer is needed. // No need to render any template at this point. scenario, err := readRawConfig(r.options.BenchPath, r.options.BenchName) if err != nil { - return "", err + return "", "", err } if scenario.Corpora.InputService == nil { - return "", nil + return "", "", nil } - return scenario.Corpora.InputService.Name, nil + return scenario.Corpora.InputService.Name, scenario.Deployer, nil } func (r *runner) run(ctx context.Context) (report reporters.Reportable, err error) { @@ -319,10 +339,10 @@ func (r *runner) run(ctx context.Context) (report reporters.Reportable, err erro return nil, fmt.Errorf("can't reindex data: %w", err) } - return createReport(r.options.BenchName, r.corporaFile, r.scenario, msum) + return createReport(r.options.BenchName, r.corporaFile, r.scenario, msum, r.secretVarNames) } -func (r *runner) setupService(ctx context.Context, serviceName string) (servicedeployer.DeployedService, error) { +func (r *runner) setupService(ctx context.Context, serviceName string, deployerName string) (servicedeployer.DeployedService, error) { stackVersion, err := r.options.KibanaClient.Version() if err != nil { return nil, fmt.Errorf("cannot request Kibana version: %w", err) @@ -330,7 +350,7 @@ func (r *runner) setupService(ctx context.Context, serviceName string) (serviced // Setup service. logger.Debug("Setting up service...") - devDeployDir := filepath.Clean(filepath.Join(r.options.BenchPath, "deploy")) + devDeployDir := filepath.Clean(filepath.Join(r.options.PackageRoot, r.options.BenchPath, "deploy")) opts := servicedeployer.FactoryOptions{ PackageRoot: r.options.PackageRoot, DevDeployDir: devDeployDir, @@ -339,6 +359,7 @@ func (r *runner) setupService(ctx context.Context, serviceName string) (serviced Type: servicedeployer.TypeBench, StackVersion: stackVersion.Version(), DeployIndependentAgent: false, + DeployerName: deployerName, } serviceDeployer, err := servicedeployer.Factory(opts) if err != nil { diff --git a/internal/benchrunner/runners/system/scenario.go b/internal/benchrunner/runners/system/scenario.go index b919c69436..fd2550ded8 100644 --- a/internal/benchrunner/runners/system/scenario.go +++ b/internal/benchrunner/runners/system/scenario.go @@ -9,6 +9,8 @@ import ( "fmt" "os" "path/filepath" + "slices" + "strings" "time" "github.com/aymerick/raymond" @@ -18,6 +20,8 @@ import ( "github.com/elastic/elastic-package/internal/servicedeployer" ) +var allowedDeployerNames = []string{"docker", "k8s", "tf"} + type scenario struct { Package string `config:"package" json:"package"` Description string `config:"description" json:"description"` @@ -30,6 +34,7 @@ type scenario struct { BenchmarkTimePeriod time.Duration `config:"benchmark_time_period" json:"benchmark_time_period"` WaitForDataTimeout *time.Duration `config:"wait_for_data_timeout" json:"wait_for_data_timeout"` Corpora corpora `config:"corpora" json:"corpora"` + Deployer string `config:"deployer" json:"deployer"` // Name of the service deployer to use for this scenario. } type dataStream struct { @@ -113,6 +118,10 @@ func readConfig(benchPath string, scenario string, svcInfo *servicedeployer.Serv if err := cfg.Unpack(c); err != nil { return nil, fmt.Errorf("can't unpack scenario configuration: %s: %w", configPath, err) } + if c.Deployer != "" && !slices.Contains(allowedDeployerNames, c.Deployer) { + return nil, fmt.Errorf("invalid deployer name %q in system benchmark configuration file %q, allowed values are: %s", + c.Deployer, configPath, strings.Join(allowedDeployerNames, ", ")) + } return c, nil } diff --git a/internal/benchrunner/runners/system/scenario_test.go b/internal/benchrunner/runners/system/scenario_test.go new file mode 100644 index 0000000000..a578d1ee41 --- /dev/null +++ b/internal/benchrunner/runners/system/scenario_test.go @@ -0,0 +1,63 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package system + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestReadConfig_DeployerValidation(t *testing.T) { + var testCases = []struct { + testName string + scenarioName string + deployer string + errContains string + }{ + { + testName: "valid deployer docker", + scenarioName: "valid_deployer_docker", + deployer: "docker", + }, + { + testName: "valid deployer k8s", + scenarioName: "valid_deployer_k8s", + deployer: "k8s", + }, + { + testName: "valid deployer tf", + scenarioName: "valid_deployer_tf", + deployer: "tf", + }, + { + testName: "invalid deployer", + scenarioName: "invalid_deployer", + errContains: "invalid deployer name", + }, + { + testName: "empty deployer", + scenarioName: "empty_deployer", + deployer: "", + }, + } + + for _, tc := range testCases { + t.Run(tc.testName, func(t *testing.T) { + t.Parallel() + scenario, err := readRawConfig("testdata", tc.scenarioName) + + if tc.errContains != "" { + require.Error(t, err) + assert.Contains(t, err.Error(), tc.errContains) + return + } + + require.NoError(t, err) + assert.Equal(t, tc.deployer, scenario.Deployer) + }) + } +} diff --git a/internal/benchrunner/runners/system/testdata/empty_deployer.yml b/internal/benchrunner/runners/system/testdata/empty_deployer.yml new file mode 100644 index 0000000000..8e0c4e38fa --- /dev/null +++ b/internal/benchrunner/runners/system/testdata/empty_deployer.yml @@ -0,0 +1 @@ +description: "scenario with no deployer set" diff --git a/internal/benchrunner/runners/system/testdata/invalid_deployer.yml b/internal/benchrunner/runners/system/testdata/invalid_deployer.yml new file mode 100644 index 0000000000..b2bf1cabf2 --- /dev/null +++ b/internal/benchrunner/runners/system/testdata/invalid_deployer.yml @@ -0,0 +1 @@ +deployer: someinvaliddeployername \ No newline at end of file diff --git a/internal/benchrunner/runners/system/testdata/valid_deployer_docker.yml b/internal/benchrunner/runners/system/testdata/valid_deployer_docker.yml new file mode 100644 index 0000000000..93fff6133d --- /dev/null +++ b/internal/benchrunner/runners/system/testdata/valid_deployer_docker.yml @@ -0,0 +1 @@ +deployer: docker \ No newline at end of file diff --git a/internal/benchrunner/runners/system/testdata/valid_deployer_k8s.yml b/internal/benchrunner/runners/system/testdata/valid_deployer_k8s.yml new file mode 100644 index 0000000000..524374f584 --- /dev/null +++ b/internal/benchrunner/runners/system/testdata/valid_deployer_k8s.yml @@ -0,0 +1 @@ +deployer: k8s \ No newline at end of file diff --git a/internal/benchrunner/runners/system/testdata/valid_deployer_tf.yml b/internal/benchrunner/runners/system/testdata/valid_deployer_tf.yml new file mode 100644 index 0000000000..680cb597d2 --- /dev/null +++ b/internal/benchrunner/runners/system/testdata/valid_deployer_tf.yml @@ -0,0 +1 @@ +deployer: tf \ No newline at end of file diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark.yml new file mode 100644 index 0000000000..82cc41c36f --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark.yml @@ -0,0 +1,27 @@ +--- +description: Benchmark 100000 alert events ingested +input: cel +deployer: docker +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: yyyy + token_url: http://{{Hostname}}:{{Port}}/oauth2/token +data_stream: + name: alert + vars: + enable_request_tracer: true + preserve_original_event: true +warmup_time_period: 2s +corpora: + input_service: + name: crowdstrike + generator: + total_events: 1000 + template: + path: ./alert-benchmark/template.ndjson + type: gotext + config: + path: ./alert-benchmark/config.yml + fields: + path: ./alert-benchmark/fields.yml diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/config.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/config.yml new file mode 100644 index 0000000000..f718388107 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/config.yml @@ -0,0 +1,105 @@ +fields: + - name: timestamp + period: -24h + - name: agent_id + cardinality: 1000 + - name: alleged_filetype + cardinality: 1000 + - name: cid + cardinality: 10 + - name: comments.falcon_user_id + cardinality: 10000 + - name: confidence + range: + min: 0 + max: 100 + cardinality: 1000 + - name: device.platform_name + enum: + - Windows + - Linux + - Mac + - name: device.agent_load_flags + enum: + - '0' + - '1' + - '2' + - '3' + - name: device.platform_id + enum: + - '0' + - '1' + - '3' + - name: device.device_id + cardinality: 10000 + - name: device.external_ipv6 + value: 20xx:xxx:xxxx:xxxx:5555:6666:7777:8888 + - name: device.local_ipv6 + value: 20xx:xxx:xxxx:xxxx:5555:6666:7777:8888 + - name: device.mac_address + value: 00:xx:xx:xx:4D:5E + - name: filename + cardinality: 10000 + - name: hostname + cardinality: 10000 + - name: id + cardinality: 100000 + - name: process_end_time + value: 1737735358 + - name: process_start_time + value: 1737735358 + - name: product + enum: + - cwpp + - data-protection + - epp + - idp + - mobile + - ngsiem + - overwatch + - thirdparty + - xdr + - name: severity_name + enum: + - Low + - Medium + - High + - name: status + enum: + - new + - in_progress + - closed + - reopened + - name: type + enum: + - ldt + - ods + - xdr + - ofp + - ssd + - windows_legacy + - name: tree_root + cardinality: 100000 + - name: tree_id + cardinality: 100000 + - name: username + cardinality: 10000 + - name: user_id + cardinality: 10000 + - name: network_accesses.connection_direction + enum: + - outbound + - inbound + - neither + - name: network_accesses.local_port + range: + min: 10000 + max: 95000 + - name: network_accesses.protocol + enum: + - TCP + - UDP + - name: network_accesses.remote_port + range: + min: 10000 + max: 95000 diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/fields.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/fields.yml new file mode 100644 index 0000000000..a1fa39ee44 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/fields.yml @@ -0,0 +1,208 @@ +- name: agent_id + type: keyword +- name: aggregate_id + type: keyword +- name: alleged_filetype + type: keyword +- name: cid + type: keyword +- name: cmdline + type: keyword +- name: comment + type: text +- name: comments + type: group + fields: + - name: falcon_user_id + type: keyword + - name: timestamp + type: date + - name: value + type: text +- name: composite_id + type: keyword +- name: confidence + type: integer +- name: control_graph_id + type: keyword +- name: created_timestamp + type: date +- name: description + type: text +- name: device + type: group + fields: + - name: agent_load_flags + type: keyword + - name: agent_local_time + type: date + - name: agent_version + type: keyword + - name: bios_manufacturer + type: keyword + - name: bios_version + type: integer + - name: cid + type: keyword + - name: device_id + type: keyword + - name: external_ip + type: ip + - name: external_ipv6 + type: ip + - name: first_seen + type: date + - name: groups + type: keyword + - name: hostinfo + type: group + fields: + - name: active_directory_dn_display + type: keyword + - name: domain + type: keyword + - name: hostname + type: keyword + - name: host_hidden_status + type: keyword + - name: last_seen + type: keyword + - name: instance_id + type: keyword + - name: local_ip + type: ip + - name: local_ipv6 + type: ip + - name: mac_address + type: keyword + - name: machine_domain + type: keyword + - name: major_version + type: integer + - name: minor_version + type: integer + - name: modified_timestamp + type: date + - name: os_version + type: keyword + - name: ou + type: keyword + - name: platform_id + type: keyword + - name: platform_name + type: keyword + - name: pod_id + type: keyword + - name: pod_labels + type: keyword + - name: pod_name + type: keyword + - name: pod_namespace + type: keyword + - name: pod_service_account_name + type: keyword + - name: product_type + type: keyword + - name: product_type_desc + type: keyword + - name: service_provider + type: keyword + - name: service_provider_account_id + type: keyword + - name: site_name + type: keyword + - name: system_manufacturer + type: keyword + - name: system_product_name + type: keyword + - name: tags + type: keyword +- name: display_name + type: keyword +- name: falcon_host_link + type: keyword +- name: filename + type: keyword +- name: filepath + type: keyword +- name: hostname + type: keyword +- name: id + type: keyword +- name: ioc_source + type: keyword +- name: ioc_type + type: keyword +- name: ioc_value + type: keyword +- name: md5 + type: keyword +- name: network_accesses + type: group + fields: + - name: access_type + type: integer + - name: connection_direction + type: keyword + - name: isIPV6 + type: boolean + - name: local_address + type: ip + - name: local_port + type: integer + - name: protocol + type: keyword + - name: remote_address + type: ip + - name: remote_port + type: integer +- name: objective + type: keyword +- name: parent_process_id + type: integer +- name: pattern_id + type: integer +- name: process_end_time + type: date +- name: process_id + type: integer +- name: process_start_time + type: date +- name: product + type: keyword +- name: scenario + type: keyword +- name: severity + type: integer +- name: severity_name + type: keyword +- name: sha256 + type: keyword +- name: show_in_ui + type: boolean +- name: status + type: keyword +- name: tactic + type: keyword +- name: tactic_id + type: keyword +- name: technique + type: keyword +- name: technique_id + type: keyword +- name: timestamp + type: date +- name: tree_id + type: keyword +- name: tree_root + type: integer +- name: triggering_process_graph_id + type: keyword +- name: type + type: keyword +- name: updated_timestamp + type: date +- name: username + type: keyword +- name: user_id + type: keyword diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/template.ndjson b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/template.ndjson new file mode 100644 index 0000000000..2841b0f2a6 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/alert-benchmark/template.ndjson @@ -0,0 +1,97 @@ +{{- $agent_id := generate "agent_id" }} +{{- $aggregate_id := generate "aggregate_id" }} +{{- $alleged_filetype := generate "alleged_filetype" }} +{{- $access_type := generate "network_accesses.access_type" }} +{{- $connection_direction := generate "network_accesses.connection_direction" }} +{{- $isIPV6 := generate "network_accesses.isIPV6" }} +{{- $local_address := generate "network_accesses.local_address" }} +{{- $local_port := generate "network_accesses.local_port" }} +{{- $protocol := generate "network_accesses.protocol" }} +{{- $remote_address := generate "network_accesses.remote_address" }} +{{- $remote_port := generate "network_accesses.remote_port" }} +{{- $cid := generate "cid" }} +{{- $cmdline := generate "cmdline" }} +{{- $comment := generate "comment" }} +{{- $falcon_user_id := generate "comments.falcon_user_id" }} +{{- $timestamp := generate "comments.timestamp" | date "2006-01-02T15:04:05.000000000Z" }} +{{- $value := generate "comments.value" }} +{{- $composite_id := generate "composite_id" }} +{{- $confidence := generate "confidence" }} +{{- $control_graph_id := generate "control_graph_id" }} +{{- $created_timestamp := generate "created_timestamp" | date "2006-01-02T15:04:05.000000000Z" }} +{{- $description := generate "description" }} +{{- $last_seen := generate "device.last_seen" | date "2006-01-02T15:04:05.00Z" }} +{{- $agent_load_flags := generate "device.agent_load_flags" }} +{{- $agent_local_time := generate "device.agent_local_time" | date "2006-01-02T15:04:05.000Z" }} +{{- $agent_version := generate "device.agent_version" }} +{{- $bios_manufacturer := generate "device.bios_manufacturer" }} +{{- $bios_version := generate "device.bios_version" }} +{{- $device_id := generate "device.device_id" }} +{{- $external_ip := generate "device.external_ip" }} +{{- $external_ipv6 := generate "device.external_ipv6" }} +{{- $first_seen := generate "device.first_seen" | date "2006-01-02T15:04:05.000Z" }} +{{- $groups := generate "device.groups" }} +{{- $active_directory_dn_display := generate "device.hostinfo.active_directory_dn_display" }} +{{- $domain := generate "device.hostinfo.domain" }} +{{- $host_hidden_status := generate "device.host_hidden_status" }} +{{- $instance_id := generate "device.instance_id" }} +{{- $local_ip := generate "device.local_ip" }} +{{- $local_ipv6 := generate "device.local_ipv6" }} +{{- $mac_address := generate "device.mac_address" }} +{{- $machine_domain := generate "device.machine_domain" }} +{{- $major_version := generate "device.major_version" }} +{{- $minor_version := generate "device.minor_version" }} +{{- $modified_timestamp := generate "device.modified_timestamp" | date "2006-01-02T15:04:05.00Z" }} +{{- $os_version := generate "device.os_version" }} +{{- $ou := generate "device.ou" }} +{{- $platform_id := generate "device.platform_id" }} +{{- $platform_name := generate "device.platform_name" }} +{{- $pod_id := generate "device.pod_id" }} +{{- $pod_labels := generate "device.pod_labels" }} +{{- $pod_name := generate "device.pod_name" }} +{{- $pod_namespace := generate "device.pod_namespace" }} +{{- $pod_service_account_name := generate "device.pod_service_account_name" }} +{{- $product_type := generate "device.product_type" }} +{{- $product_type_desc := generate "device.product_type_desc" }} +{{- $service_provider := generate "device.service_provider" }} +{{- $service_provider_account_id := generate "device.service_provider_account_id" }} +{{- $site_name := generate "device.site_name" }} +{{- $system_manufacturer := generate "device.system_manufacturer" }} +{{- $system_product_name := generate "device.system_product_name" }} +{{- $tags := generate "device.tags" }} +{{- $display_name := generate "display_name" }} +{{- $falcon_host_link := generate "falcon_host_link" }} +{{- $filename := generate "filename" }} +{{- $filepath := generate "filepath" }} +{{- $hostname := generate "hostname" }} +{{- $id := generate "id" }} +{{- $ioc_source := generate "ioc_source" }} +{{- $ioc_type := generate "ioc_type" }} +{{- $ioc_value := generate "ioc_value" }} +{{- $md5 := generate "md5" }} +{{- $objective := generate "objective" }} +{{- $parent_process_id := generate "parent_process_id" }} +{{- $pattern_id := generate "pattern_id" }} +{{- $process_end_time := generate "process_end_time" }} +{{- $process_id := generate "process_id" }} +{{- $process_start_time := generate "process_start_time" }} +{{- $product := generate "product" }} +{{- $scenario := generate "scenario" }} +{{- $severity := generate "severity" }} +{{- $severity_name := generate "severity_name" }} +{{- $sha256 := generate "sha256" }} +{{- $show_in_ui := generate "show_in_ui" }} +{{- $status := generate "status" }} +{{- $tactic := generate "tactic" }} +{{- $tactic_id := generate "tactic_id" }} +{{- $technique := generate "technique" }} +{{- $technique_id := generate "technique_id" }} +{{- $timestamp_main := generate "timestamp" | date "2006-01-02T15:04:05.000Z" }} +{{- $tree_id := generate "tree_id" }} +{{- $tree_root := generate "tree_root" }} +{{- $triggering_process_graph_id := generate "triggering_process_graph_id" }} +{{- $type := generate "type" }} +{{- $updated_timestamp := generate "updated_timestamp" | date "2006-01-02T15:04:05.000000000Z" }} +{{- $username := generate "username" }} +{{- $user_id := generate "user_id" }} +{"agent_id":"{{ $agent_id }}","aggregate_id":"{{ $aggregate_id }}","alleged_filetype":"{{ $alleged_filetype }}","cid":"{{ $cid }}","cmdline":"{{ $cmdline }}","comment":"{{ $comment }}","comments":[{"falcon_user_id":"{{ $falcon_user_id }}@mail.com","timestamp":"{{ $timestamp }}","value":"{{ $value }}"}],"composite_id":"{{ $composite_id }}","confidence":{{ $confidence }},"control_graph_id":"{{ $control_graph_id }}","created_timestamp":"{{ $created_timestamp }}","description":"{{ $description }}","device":{"agent_version":"x.xx.xxxxx.x","agent_load_flags":"{{ $agent_load_flags }}","agent_local_time":"{{ $agent_local_time }}","bios_manufacturer":"{{ $bios_manufacturer }}","bios_version":"{{ $bios_version }}","cid":"{{ $cid }}","device_id":"{{ $device_id }}","external_ip":"{{ $external_ip }}","external_ipv6":"{{ $external_ipv6 }}","first_seen":"{{ $first_seen }}","groups":"{{ $groups }}","hostinfo":{"active_directory_dn_display":"{{ $active_directory_dn_display }}","domain":"{{ $domain }}"},"hostname":"{{ $hostname }}","host_hidden_status":"{{ $host_hidden_status }}","last_seen":"{{ $last_seen }}","instance_id":"{{ $instance_id }}","local_ip":"{{ $local_ip }}","local_ipv6":"{{ $local_ipv6 }}","mac_address":"{{ $mac_address }}","machine_domain":"{{ $machine_domain }}","major_version":{{ $major_version }},"minor_version":{{ $minor_version }},"modified_timestamp":"{{ $modified_timestamp }}","os_version":"{{ $os_version }}","ou":["{{ $ou }}"],"platform_id":"{{ $platform_id }}","platform_name":"{{ $platform_name }}","pod_id":"{{ $pod_id }}","pod_labels":["{{ $pod_labels }}"],"pod_name":"{{ $pod_name }}","pod_namespace":"{{ $pod_namespace }}","pod_service_account_name":"{{ $pod_service_account_name }}","product_type":"{{ $product_type }}","product_type_desc":"{{ $product_type_desc }}","service_provider":"{{ $service_provider }}","service_provider_account_id":"{{ $service_provider_account_id }}","site_name":"{{ $site_name }}","status":"{{ $status }}","system_manufacturer":"{{ $system_manufacturer }}","system_product_name":"{{ $system_product_name }}","tags":["{{ $tags }}"]},"display_name":"{{ $display_name }}","falcon_host_link":"https://falcon.crowdstrike.com/activity-v2/detections/{{ $falcon_host_link }}","filename":"{{ $filename }}.{{ $alleged_filetype }}","filepath":"\\\\{{ $filepath }}\\\\{{ $filename }}.{{ $alleged_filetype }}","id":"{{ $id }}","ioc_source":"{{ $ioc_source }}","ioc_type":"{{ $ioc_type }}","ioc_value":"{{ $ioc_value }}","md5":"{{ $md5 }}","mitre_attack":{"pattern_id":{{ $pattern_id }},"tactic_id":"{{ $tactic_id }}","technique_id":"{{ $technique_id }}","tactic":"{{ $tactic }}","technique":"{{ $technique }}"},"name":"{{ $username }} on {{ $hostname }}","network_accesses":[{"access_type":"{{ $access_type }}","connection_direction":"{{ $connection_direction }}","isIPV6":{{ $isIPV6 }},"local_address":"{{ $local_address }}","local_port":{{ $local_port }},"protocol":"{{ $protocol }}","remote_address":"{{ $remote_address }}","remote_port":{{ $remote_port }}}],"objective":"{{ $objective }}","parent_process_id":{{ $parent_process_id }},"pattern_id":{{ $pattern_id }},"platform":"{{ $platform_name }}","process_end_time":"{{ $process_end_time }}","process_id":{{ $process_id }},"process_start_time":"{{ $process_start_time }}","product":"{{ $product }}","scenario":"{{ $scenario }}","severity":{{ $severity }},"severity_name":"{{ $severity_name }}","sha256":"{{ $sha256 }}","show_in_ui":{{ $show_in_ui }},"status":"{{ $status }}","tactic":"{{ $tactic }}","tactic_id":"{{ $tactic_id }}","technique":"{{ $technique }}","technique_id":"{{ $technique_id }}","timestamp":"{{ $timestamp_main }}","tree_id":"{{ $tree_id }}","tree_root":{{ $tree_root }},"triggering_process_graph_id":"{{ $triggering_process_graph_id }}","type":"{{ $type }}","updated_timestamp":"{{ $updated_timestamp }}","user_id":"{{ $user_id }}"}, diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/docker/docker-compose.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/docker/docker-compose.yml new file mode 100644 index 0000000000..cfa001fee1 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/docker/docker-compose.yml @@ -0,0 +1,16 @@ +version: "2.3" +services: + crowdstrike: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: crowdstrike + ports: + - 8080 + volumes: + - ./files:/files:ro + - ${SERVICE_LOGS_DIR}:/var/log + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/docker/files/config.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/docker/files/config.yml new file mode 100644 index 0000000000..8ac8e5871e --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/docker/files/config.yml @@ -0,0 +1,128 @@ +rules: + - path: /oauth2/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"} + - path: /alerts/combined/alerts/v1 + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "meta": { + "pagination": { + "total": 100000, + "limit": 100 + } + }, + "errors": [], + "resources": [ + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"agent_id":"2ce412d17b334ad4adc8c1c54dbfec4b","aggregate_id":"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778","alleged_filetype":"exe","cid":"92012896127c4a948236ba7601b886b0","composite_id":"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","confidence":10,"created_timestamp":"2023-11-03T18:01:23.995794943Z","id":"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600","severity":30,"status":"new","timestamp":"2023-11-03T18:00:22.328Z","updated_timestamp":"2023-11-03T19:00:23.985007341Z"} + ] + } + - path: /devices/combined/devices/v1 + methods: ['GET'] + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "meta": { + "pagination": { + "total": 100000, + "limit": 100 + } + }, + "errors": [], + "resources": [ + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"device_id":"2ce412d17b334ad4adc8c1c54dbfec4b","cid":"92012896127c4a948236ba7601b886b0","agent_load_flags":"0","agent_local_time":"2023-11-07T04:51:16.678Z","agent_version":"7.05.17603.0","hostname":"test-host","status":"normal","modified_timestamp":"2023-11-07T04:51:16.678Z"} + ] + } + - path: /spotlight/combined/vulnerabilities/v1 + methods: ['GET'] + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "meta": { + "pagination": { + "total": 100000, + "limit": 100 + } + }, + "errors": [], + "resources": [ + {{/* Comma is added at the end of each line inside the template to preserve JSON format */}} + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + {{/* A last line of hard-coded data is required to properly close the JSON body */}} + {"id":"CVE-2023-12345","cid":"92012896127c4a948236ba7601b886b0","aid":"2ce412d17b334ad4adc8c1c54dbfec4b","vulnerability_id":"CVE-2023-12345","status":"open","cve":{"severity":"MEDIUM","references":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1234"]},"created_timestamp":"2023-11-03T18:01:23.995794943Z","updated_timestamp":"2023-11-03T19:00:23.985007341Z"} + ] + } + - path: /sensors/entities/datafeed/v2 + methods: ['GET'] + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + { + "resources": [ + { + "dataFeedURL": "http://svc-crowdstrike:8080/events", + "sessionToken": { + "token": "secretsessiontoken" + }, + "refreshActiveSessionURL": "http://svc-crowdstrike:8080/refresh", + "refreshActiveSessionInterval": 1800 + } + ] + } + - path: /events + methods: ['GET'] + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {{- $g := glob "/var/log/corpus-*" -}} + {{- range $g -}} + {{- file . -}} + {{- end -}} + - path: /refresh + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: '' diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/env.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/env.yml new file mode 100644 index 0000000000..1200994302 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/env.yml @@ -0,0 +1,5 @@ +version: '2.3' +services: + terraform: + environment: + - TEST_RUN_ID=${TEST_RUN_ID} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/files/sample.log b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/files/sample.log new file mode 100644 index 0000000000..a531968e82 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/files/sample.log @@ -0,0 +1,500 @@ +{"metadata": {"customerIDString": "Lebanesework","offset": -1685835604,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "whydresser","HostnameField": "hisnation","UserName": "repellingthing","StartTimestamp": 1582830734,"AgentIdString": "itshand"}} +{"metadata": {"customerIDString": "ourdisregard","offset": -23054234,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "scaryway","Region": "us-west-1","ResourceId": "thathappiness","ResourceIdType": "Middle Easternmother","ResourceName": "whichtime","ResourceCreateTime": 0,"PolicyStatement": "histable","PolicyId": 1595025608,"Severity": 65,"SeverityName": "Medium","CloudPlatform": "Cypriotyoga","CloudService": "myline","Disposition": "Passed","ResourceUrl": "hispoint","Finding": "hishonesty","Tags": [{"Key": "fragilecompany","ValueString": "impromptuwelfare"}],"ReportUrl": "oddshower","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "theremoney","offset": -500255711,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Marxistluck","UserIp": "113.166.169.36","OperationName": "confirmResetPassword","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "Koreanfact","ValueString": "whereshower"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "anyonegroup"}}} +{"metadata": {"customerIDString": "wherecackle","offset": -185828149,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "Polynesianheels","IncidentDescription": "Salvadoreanseed","Severity": 71,"SeverityName": "Informational","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "allpoverty","UserName": "mypod","EndpointName": "whatbrilliance","EndpointIp": "12.250.116.236","Category": "Incidents","NumbersOfAlerts": -1113219528,"NumberOfCompromisedEntities": -263983776,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thesewisp?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Americanwhale","offset": 939173435,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "hershirt","Highlights": ["yoursheep"],"MatchedTimestamp": 1686889114000,"RuleId": "thesechildhood","RuleName": "thosehamburger","RuleTopic": "theirfact","RulePriority": "whatwad","ItemId": "Middle Easterncrew","ItemType": "CS","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "Diabolicalforest","offset": 1660803782,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "somearmy","Region": "us-west-2","ResourceId": "whereway","ResourceIdType": "gorgeousbird","ResourceName": "whichgroup","ResourceCreateTime": 0,"PolicyStatement": "whosedynasty","PolicyId": 390111810,"Severity": 43,"SeverityName": "Medium","CloudPlatform": "toobunch","CloudService": "Costa Ricanloss","Disposition": "Failed","ResourceUrl": "eachbattery","Finding": "thesedream","Tags": [{"Key": "Frenchcandy","ValueString": "Kazakhliterature"}],"ReportUrl": "noneforest","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "whatlove","offset": -315799839,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "thoseplace","MobileDetectionId": 1667158397,"ComputerName": "halfpod","UserName": "yourstaff","ContextTimeStamp": 1649061056,"DetectId": "so fewface","DetectName": "thosesorrow","DetectDescription": "host employment gang forest team group pair turtle chest thing pod troop sugar government evidence thisscold","Tactic": "substantialtail","TacticId": "whosebook","Technique": "howheap","TechniqueId": "whatschool","Objective": "whosetroupe","Severity": 1,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/theirbelief?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "ourmurder","AndroidAppLabel": "Plutoniancollection","DexFileHashes": "Cypriotanthology","ImageFileName": "thosegang","AppInstallerInformation": "thisorange","IsBeingDebugged": true,"AndroidAppVersionName": "wherescissors","IsContainerized": true}]}} +{"metadata": {"customerIDString": "lots ofhail","offset": -1080414415,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "anyonenest","MobileDetectionId": 2112873966,"ComputerName": "significantnoise","UserName": "Einsteinianstupidity","ContextTimeStamp": 1649061056,"DetectId": "hisbelief","DetectName": "Victorianlake","DetectDescription": "college time air right muster army grade thought sister man article party city loss refrigerator myanthology","Tactic": "thosepod","TacticId": "whysilence","Technique": "therebattery","TechniqueId": "nowaiter","Objective": "itcompany","Severity": 29,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/fewshower?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "helpfulmuster","AndroidAppLabel": "someonecorruption","DexFileHashes": "Nepalesecare","ImageFileName": "Mayanhotel","AppInstallerInformation": "nonegoodness","IsBeingDebugged": false,"AndroidAppVersionName": "wherehat","IsContainerized": true}]}} +{"metadata": {"customerIDString": "numerousgarage","offset": 358982922,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "sufficientunion","UserIp": "118.44.72.83","OperationName": "userAuthenticate","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "whichcheese","ValueString": "manyway"}],"Attributes": {"actor_cid": "anyonewarmth","actor_user": "wholedetermination","actor_user_uuid": "whycar","app_id": "wherefox","saml_assertion": "nonepatrol","target_user": "Amazonianeye","trace_id": "ourwhale"}}} +{"metadata": {"customerIDString": "wherewoman","offset": -978965511,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "thatlove","CustomerId": "youngyear","Ipv": "111.108.39.213","CommandLine": "yourjoy","ConnectionDirection": "1","EventType": "FirewallRuleIP6Matched","Flags": {"Audit": true,"Log": false,"Monitor": false},"HostName": "fullhost","ICMPCode": "tooplace","ICMPType": "hereability","ImageFileName": "littleluxuty","LocalAddress": "212.100.108.245","LocalPort": "71122","MatchCount": -1465089284,"MatchCountSinceLastReport": -1659220810,"NetworkProfile": "myedge","PID": "-1256766382","PolicyName": "itsthing","PolicyID": "heavycompany","Protocol": "Cormoranpronunciation","RemoteAddress": "132.38.65.208","RemotePort": "35570","RuleAction": "itbook","RuleDescription": "company obnoxiousarmy","RuleFamilyID": "over thereflock","RuleGroupName": "ouromen","RuleName": "onepoint","RuleId": "easyhorde","Status": "boredhorn","Timestamp": 1751371830,"TreeID": "anypound"}} +{"metadata": {"customerIDString": "howwoman","offset": -947006805,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "whereset","CustomerId": "wittyway","Ipv": "249.171.19.228","CommandLine": "thishumour","ConnectionDirection": "0","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": false,"Log": true,"Monitor": true},"HostName": "Lilliputianbook","ICMPCode": "whystring","ICMPType": "whererazor","ImageFileName": "itfashion","LocalAddress": "238.237.247.252","LocalPort": "36580","MatchCount": 675896743,"MatchCountSinceLastReport": -17051991,"NetworkProfile": "everyonefriendship","PID": "-1491782631","PolicyName": "friendlybunch","PolicyID": "fewchest","Protocol": "whosetrench coat","RemoteAddress": "65.58.83.244","RemotePort": "45643","RuleAction": "Britisharmy","RuleDescription": "host pack hat box bowl cast comb milk reel colorfulbevy","RuleFamilyID": "plenty ofcompany","RuleGroupName": "difficultcatalog","RuleName": "everybodyday","RuleId": "itbowl","Status": "Lebaneseshower","Timestamp": 1751371830,"TreeID": "Hitlerianboard"}} +{"metadata": {"customerIDString": "herposse","offset": 1859087843,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "mywoman","UserID": "quizzicalclass","ExecutionID": "anyhost","ReportID": "theseheap","ReportName": "herstaff","ReportType": "someoneoil","ReportFileReference": "fullstand","Status": "whatbeans","StatusMessage": "eachaccommodation","ExecutionMetadata": {"ExecutionStart": 1497599866,"ExecutionDuration": -991015096,"ReportFileName": "Koreanloss","ResultCount": 1748156442,"ResultID": "severalyard","SearchWindowStart": -797632144,"SearchWindowEnd": -1019419451}}} +{"metadata": {"customerIDString": "fewbundle","offset": 811982012,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "numeroussoftware","MobileDetectionId": -1904510031,"ComputerName": "Greekexaltation","UserName": "myworld","ContextTimeStamp": 1649061056,"DetectId": "over therehand","DetectName": "howcousin","DetectDescription": "congregation poverty band block range religion week heap whatwisdom","Tactic": "fewpack","TacticId": "whoseadult","Technique": "cooperativeexaltation","TechniqueId": "Belgiansocks","Objective": "theirkitchen","Severity": 58,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/sleepyset?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "howgovernment","AndroidAppLabel": "whichluxury","DexFileHashes": "disgustingman","ImageFileName": "ourmusic","AppInstallerInformation": "heregovernment","IsBeingDebugged": false,"AndroidAppVersionName": "itwildlife","IsContainerized": false}]}} +{"metadata": {"customerIDString": "itswoman","offset": -202219313,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "ouralbum","IncidentDescription": "number hand pack problem literature success guest harvest bow museum Mozartianlife","Severity": 45,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "bravebundle","UserName": "Freudiannest","EndpointName": "herclump","EndpointIp": "140.45.95.105","Category": "Detections","NumbersOfAlerts": 1123668711,"NumberOfCompromisedEntities": -986302934,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/numerouslibrary?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "whoseenvy","offset": 1336498276,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "knightlyslavery","UserIp": "23.204.163.65","OperationName": "confirmResetPassword","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "manytiming","ValueString": "yourflock"}],"Attributes": {"actor_cid": "whatidea","actor_user": "plenty ofthrill","actor_user_uuid": "Elizabethanlaughter","app_id": "anypack","saml_assertion": "allgroup","target_user": "yourpoint","trace_id": "energetichair"}}} +{"metadata": {"customerIDString": "Putinistoutfit","offset": -464699610,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "therefear","UserIp": "190.98.76.245","OperationName": "createUser","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Torontoniansocks","ValueString": "pinkbouquet"}],"Attributes": {"actor_cid": "herealligator","actor_user": "everybodygovernment","actor_user_uuid": "Bismarckianveterinarian","app_id": "someonepack","saml_assertion": "yourcrowd","target_user": "Thaiteam","trace_id": "Germanheels"}}} +{"metadata": {"customerIDString": "Brazilianband","offset": 547834351,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "spottedcrowd","HostnameField": "theircard","UserName": "handsomeflock","StartTimestamp": 1582830734,"AgentIdString": "manysandals"}} +{"metadata": {"customerIDString": "itseye","offset": 85979815,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Slovakdisregard","UserIp": "161.210.122.111","OperationName": "deleteUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "scarysky","ValueString": "lazytrip"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "theseman"}}} +{"metadata": {"customerIDString": "severaltail","offset": -496750003,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "somebodyline","UserIp": "181.119.120.133","OperationName": "grantCustomerSubscriptions","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "fewweek","ValueString": "insufficientcongregation"}],"Attributes": {"actor_cid": "thoserange","actor_user": "Egyptianmuster","actor_user_uuid": "manyarmy","app_id": "whosebookstore","saml_assertion": "fewspoon","target_user": "whyjustice","trace_id": "thosetransportation"}}} +{"metadata": {"customerIDString": "whosepleasure","offset": -2143757847,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "whoseproblem","UserID": "thesewaist","ExecutionID": "horriblegovernment","ReportID": "wheremuster","ReportName": "thereboard","ReportType": "yourcaravan","ReportFileReference": "yourproblem","Status": "Japanesebale","StatusMessage": "emptyparty","ExecutionMetadata": {"ExecutionStart": -845012901,"ExecutionDuration": -340990076,"ReportFileName": "theregroup","ResultCount": 1942445329,"ResultID": "herbow","SearchWindowStart": -967511895,"SearchWindowEnd": 122476930}}} +{"metadata": {"customerIDString": "yourocean","offset": 563835375,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 677914316,"ProcessEndTime": 1753288785,"ProcessId": 786054393,"ParentProcessId": -1517238162,"ComputerName": "anythingdanger","UserName": "heavywork","DetectName": "gloriousriches","DetectDescription": "motivation mob currency market group number literature point board lack child election mob apartment dangerouswelfare","Severity": 5,"SeverityName": "Critical","FileName": "whichrazor","FilePath": "yourwoman\\whichrazor","CommandLine": "C:\\Windows\\crowdedcovey","SHA256String": "Uzbekostrich","MD5String": "severalbeauty","SHA1String": "anyonefailure","MachineDomain": "anytrip","NetworkAccesses": [{"AccessType": 803760681,"AccessTimestamp": 1751371565,"Protocol": "howsorrow","LocalAddress": "186.189.48.115","LocalPort": 9178,"RemoteAddress": "179.68.167.78","RemotePort": 75164,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whatparty?_cid=xxxxxxx","SensorId": "Bangladeshicheese","IOCType": "domain","IOCValue": "itgroup","DetectId": "couplewolf","LocalIP": "117.210.159.74","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "Alpinewings","Technique": "nonebasket","Objective": "significantgovernment","PatternDispositionDescription": "nest staff bunch literature archipelago yoga thing packet Salvadoreanability","PatternDispositionValue": -1531758015,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "howstring","ParentCommandLine": "everyonesedge","GrandparentImageFileName": "everybodybutter","GrandparentCommandLine": "howparty","HostGroups": "everybodyweek","AssociatedFile": "itsmercy","PatternId": 1232464714}} +{"metadata": {"customerIDString": "aloofcrowd","offset": 740568382,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whygang","Region": "us-east-1","ResourceId": "somecast","ResourceIdType": "alldynasty","ResourceName": "theirmouth","ResourceCreateTime": 0,"PolicyStatement": "alljoy","PolicyId": -1697369840,"Severity": 36,"SeverityName": "Informational","CloudPlatform": "halfperson","CloudService": "colorfulposse","Disposition": "Failed","ResourceUrl": "howclothing","Finding": "hercar","Tags": [{"Key": "lovelytroop","ValueString": "noneproblem"}],"ReportUrl": "thoseluxuty","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "jitterymurder","offset": 1961041064,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "muchanger","MobileDetectionId": 69767198,"ComputerName": "proudbus","UserName": "over therehorde","ContextTimeStamp": 1649061056,"DetectId": "whysedge","DetectName": "whymonth","DetectDescription": "whatmirror","Tactic": "whosebread","TacticId": "anythingcompany","Technique": "hiscollection","TechniqueId": "outstandingnumber","Objective": "over thereposse","Severity": 43,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/mymurder?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "yourcomfort","AndroidAppLabel": "Salvadoreanpen","DexFileHashes": "everybodyparty","ImageFileName": "cutehorror","AppInstallerInformation": "everythingwork","IsBeingDebugged": true,"AndroidAppVersionName": "nobodyman","IsContainerized": true}]}} +{"metadata": {"customerIDString": "itcat","offset": -821676966,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "uglydanger","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\abundantworld","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "way sleep bunch plan thing troupe basket production bridge shower muster gang trip pain cackle team advertising thought poisedwisp","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thiskindness?_cid=xxxxxxx","FileName": "eachparty","FilePath": "emptywidth\\eachparty","FilesAccessed": [{"FileName": "eachparty","FilePath": "emptywidth\\eachparty","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "eachparty","FilePath": "emptywidth\\eachparty","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\victoriousgrade","GrandParentImageFileName": "whichmeal","GrandParentImageFilePath": "ourcompany\\whichmeal","HostGroups": "nonedynasty","Hostname": "littlegarden","LocalIP": "175.120.65.85","LocalIPv6": "162.194.94.24","LogonDomain": "wherejoy","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "yourroad","Name": "magnificenttime","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -371508142,"ConnectionDirection": 0,"IsIPV6": false,"LocalAddress": "113.59.205.90","LocalPort": 16996,"Protocol": "Belgianapro","RemoteAddress": "212.199.228.138","RemotePort": 17202}],"Objective": "whoseaid","ParentCommandLine": "C:\\Windows\\thosepacket\\thesequiver","ParentImageFileName": "thesequiver","ParentImageFilePath": "so fewmustering\\thesequiver","ParentProcessId": -1247164242,"PatternDispositionDescription": "party garage knowledge trend whisker luxuty peace line yourparty","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": false,"KillActionFailed": true,"KillParent": false,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": 834471333,"PatternId": -1406840380,"PlatformId": "fewfurniture","PlatformName": "Mac","ProcessEndTime": -1161875253,"ProcessId": 704146160,"ProcessStartTime": 2080525086,"ReferrerUrl": "Icelandicseed","SHA1String": "itgoal","SHA256String": "sufficienttroupe","Severity": 29,"SeverityName": "High","SourceProducts": "thatflower","SourceVendors": "tooregiment","Tactic": "Greekway","Technique": "theirsoap","Type": "ldt","UserName": "Malagasyconfusion"}} +{"metadata": {"customerIDString": "fewdisregard","offset": -2029514474,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "angrypronunciation","PolicyId": -1970886867,"PolicyStatement": "over therepouch","CloudProvider": "somepencil","CloudService": "whichimagination","Severity": 79,"SeverityName": "Medium","EventAction": "nocleverness","EventSource": "thischoir","EventCreatedTimestamp": 1663011160,"UserId": "thismustering","UserName": "Africandoctor","UserSourceIp": "53.43.174.74","Tactic": "whathand","Technique": "herfun"}} +{"metadata": {"customerIDString": "yellowenvy","offset": -1993478320,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "brightweek","UserIp": "254.218.27.74","OperationName": "userAuthenticate","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Buddhistbowl","ValueString": "Burmesehost"}],"Attributes": {"actor_cid": "howbevy","actor_user": "knightlycousin","actor_user_uuid": "handsomefun","app_id": "a lotbottle","saml_assertion": "enoughlife","target_user": "whosechild","trace_id": "heavilypage"}}} +{"metadata": {"customerIDString": "herebrilliance","offset": -1831228191,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "somebodyscheme","State": "closed","FineScore": 7.039776011344496,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "Plutonianarmy","HostID": "alltribe","LMHostIDs": ["fewteam"],"UserId": "magnificentboard"}} +{"metadata": {"customerIDString": "thatcrowd","offset": -753998750,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "itssoup","UserIp": "15.186.240.250","OperationName": "selfAcceptEula","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "thosewood","ValueString": "thisproduct"}],"Attributes": {"actor_cid": "braveeye","actor_user": "thisstaff","actor_user_uuid": "anythingdishonesty","app_id": "hundredrainbow","saml_assertion": "Kyrgyzjoy","target_user": "howapple","trace_id": "filthybouquet"}}} +{"metadata": {"customerIDString": "stormytalent","offset": -1608868323,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "darkhail","HostnameField": "muddyleap","UserName": "insufficientshop","StartTimestamp": 1582830734,"AgentIdString": "heavilymagic"}} +{"metadata": {"customerIDString": "greenhorror","offset": 840939344,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thateye","UserIp": "193.145.138.133","OperationName": "revokeUserRoles","ServiceName": "detections","AuditKeyValues": [{"Key": "lonelywisp","ValueString": "whichpunctuation"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "lovelybrace"}}} +{"metadata": {"customerIDString": "whoseshower","offset": -303773766,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Cypriotplace","PolicyId": -1131743678,"PolicyStatement": "whosecovey","CloudProvider": "Africanspeed","CloudService": "thesehost","Severity": 8,"SeverityName": "High","EventAction": "Californianability","EventSource": "Turkmenpart","EventCreatedTimestamp": 1663011160,"UserId": "hereknowledge","UserName": "theremarriage","UserSourceIp": "206.46.125.9","Tactic": "Dutchshower","Technique": "everyonehost"}} +{"metadata": {"customerIDString": "allstaff","offset": -2145506912,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "hispaper","UserID": "wholegroup","ExecutionID": "whereperson","ReportID": "wanderingreel","ReportName": "over therewealth","ReportType": "variedtea","ReportFileReference": "heavilystring","Status": "fancyleap","StatusMessage": "Laotianfinger","ExecutionMetadata": {"ExecutionStart": 598742230,"ExecutionDuration": -466972945,"ReportFileName": "whoseteacher","ResultCount": -170185523,"ResultID": "herechild","SearchWindowStart": -645346693,"SearchWindowEnd": -936574230}}} +{"metadata": {"customerIDString": "impromptuherbs","offset": -671440385,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "hereway","HostnameField": "whichbed","UserName": "delightfulfather","StartTimestamp": 1582830734,"AgentIdString": "everybodywoman"}} +{"metadata": {"customerIDString": "thattrust","offset": -1407742014,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Africanfailure","PolicyId": -1009302844,"PolicyStatement": "ittime","CloudProvider": "eachposse","CloudService": "ourchildhood","Severity": 85,"SeverityName": "High","EventAction": "franticmustering","EventSource": "thatgloves","EventCreatedTimestamp": 1663011160,"UserId": "lonelybrilliance","UserName": "ourdynasty","UserSourceIp": "143.92.26.216","Tactic": "therekid","Technique": "ourart"}} +{"metadata": {"customerIDString": "gloriousdivorce","offset": 1342704196,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "hisseafood","UserID": "manyhotel","ExecutionID": "thosepicture","ReportID": "everythingjob","ReportName": "halfsalt","ReportType": "upsetcast","ReportFileReference": "ourhand","Status": "everyoneplace","StatusMessage": "yourinnocence","ExecutionMetadata": {"ExecutionStart": -581552420,"ExecutionDuration": -1598579021,"ReportFileName": "anyinfancy","ResultCount": -988564843,"ResultID": "whereresearch","SearchWindowStart": 1424290890,"SearchWindowEnd": 393370078}}} +{"metadata": {"customerIDString": "wholegeneration","offset": 131148644,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1347675130,"ProcessEndTime": -1876679142,"ProcessId": -947736290,"ParentProcessId": -1309925092,"ComputerName": "somegoal","UserName": "fewbale","DetectName": "someheap","DetectDescription": "patrol army bunch child tribe person thing clump heat pod pipe anger stand soup wolf church string tenderstring","Severity": 4,"SeverityName": "High","FileName": "eachvilla","FilePath": "gorgeousson\\eachvilla","CommandLine": "C:\\Windows\\over thereassistance","SHA256String": "substantialmagic","MD5String": "whosemob","SHA1String": "anythingcase","MachineDomain": "oursock","NetworkAccesses": [{"AccessType": -1978822203,"AccessTimestamp": 1751371565,"Protocol": "so fewpig","LocalAddress": "206.87.187.254","LocalPort": 25189,"RemoteAddress": "173.236.92.168","RemotePort": 22882,"ConnectionDirection": 2,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hungryunion?_cid=xxxxxxx","SensorId": "thesebow","IOCType": "command_line","IOCValue": "importantlake","DetectId": "lots ofcarrot","LocalIP": "18.78.90.177","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "foolishcase","Technique": "hisfactory","Objective": "Swaziability","PatternDispositionDescription": "bevy hammer case darkness socks travel riches mustering steak dynasty ream annoyance tennis leisure point cluster life muster point covey cleancovey","PatternDispositionValue": -1986402747,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": true,"Rooting": false,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "somebodycandle","ParentCommandLine": "something","GrandparentImageFileName": "doublemurder","GrandparentCommandLine": "thiscompany","HostGroups": "Gaussiancorruption","AssociatedFile": "Atlanticforest","PatternId": -1882667008}} +{"metadata": {"customerIDString": "howmob","offset": 614263770,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "yoursurgeon","UserIp": "246.251.242.53","OperationName": "deleteUser","ServiceName": "detections","AuditKeyValues": [{"Key": "Vietnamesepleasure","ValueString": "Pacificpage"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "someoneorchard"}}} +{"metadata": {"customerIDString": "whereparty","offset": -189582918,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "wherenumber","DetectName": "giftedhorror","DetectDescription": "tent door street luxury muster heap toilet frailty book trip loneliness stack bones generation cackle watch trip cooker pack cigarette army bouquet place Hitlerianlove","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Congolesecrew?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 17,"SeverityName": "Critical","Tactic": "Portuguesebox","Technique": "onemustering","Objective": "thisarmy","SourceAccountDomain": "allnap","SourceAccountName": "condemnedchildhood","SourceAccountObjectSid": "Buddhistleap","SourceEndpointAccountObjectGuid": "whichteam","SourceEndpointAccountObjectSid": "healthydeceit","SourceEndpointHostName": "perfectsoup","SourceEndpointIpAddress": "161.190.123.166","SourceEndpointSensorId": "whichtable","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "fancycompany","PatternId": 1548354304}} +{"metadata": {"customerIDString": "heavilystaff","offset": 906103853,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "ourgalaxy","PolicyId": 604517403,"PolicyStatement": "whatstand","CloudProvider": "somefailure","CloudService": "itsbunch","Severity": 49,"SeverityName": "Medium","EventAction": "herebale","EventSource": "herecast","EventCreatedTimestamp": 1663011160,"UserId": "richregiment","UserName": "hisengine","UserSourceIp": "100.243.158.102","Tactic": "manygroup","Technique": "theirfleet"}} +{"metadata": {"customerIDString": "condemnedcollege","offset": 1812346359,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "thereway","State": "open","FineScore": 8.31994394666357,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "yourdamage","HostID": "so fewcrime","LMHostIDs": ["greatproduction"],"UserId": "Gaussianreligion"}} +{"metadata": {"customerIDString": "Bismarckiangain","offset": -592288370,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "gracefulschool","State": "closed","FineScore": 1.9359426021893968,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "lots ofpack","HostID": "frighteningteam","LMHostIDs": ["Chinesechair"],"UserId": "frighteningocean"}} +{"metadata": {"customerIDString": "itsposse","offset": -615795649,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Germanscold","Region": "us-west-2","ResourceId": "thatarchitect","ResourceIdType": "Amazonianrubbish","ResourceName": "ourwoman","ResourceCreateTime": 0,"PolicyStatement": "whyspoon","PolicyId": 1035142533,"Severity": 27,"SeverityName": "Low","CloudPlatform": "smoggyadvantage","CloudService": "plainmustering","Disposition": "Failed","ResourceUrl": "happyway","Finding": "anyoneweek","Tags": [{"Key": "knightlygenetics","ValueString": "ourmovement"}],"ReportUrl": "terribleexaltation","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "heavilycluster","offset": 1787879286,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "hisman","IncidentDescription": "myhail","Severity": 12,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "eachhand","UserName": "hiscomb","EndpointName": "fewmustering","EndpointIp": "1.165.23.55","Category": "Incidents","NumbersOfAlerts": -60578336,"NumberOfCompromisedEntities": -1036433694,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/itssenator?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "yourworld","offset": -249568344,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "glamorousband","UserIp": "211.129.175.149","OperationName": "updateUserRoles","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Kazakhtroop","ValueString": "whatgarage"}],"Attributes": {"actor_cid": "sparserice","actor_user": "Bangladeshistring","actor_user_uuid": "blushingparty","app_id": "yourgroup","saml_assertion": "drabviolence","target_user": "enthusiasticsandals","trace_id": "yourverb"}}} +{"metadata": {"customerIDString": "herebrace","offset": -116475959,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "hisskirt","DataDomains": "Network","Description": "game class crow voice patrol wisp omen bird company month deceit staff list Romanianhorror","DetectId": "myfame","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "133.215.83.142","HostNames": "thosepack","Name": "littlecastle","PatternId": 1339224201,"Severity": 47,"SourceProducts": "itsteam","SourceVendors": "Romanjaw","StartTimeEpoch": 1643317697728000000,"TacticIds": "enchantedhost","Tactics": "sparsemob","TechniqueIds": "someglasses","Techniques": "mostjustice","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "eagerchoker","offset": 911507457,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "glamorousliter","PolicyId": 1096683373,"PolicyStatement": "thesefactory","CloudProvider": "myresearch","CloudService": "howforest","Severity": 55,"SeverityName": "Informational","EventAction": "howarchipelago","EventSource": "numerousbouquet","EventCreatedTimestamp": 1663011160,"UserId": "thisbundle","UserName": "colorfultraffic","UserSourceIp": "206.44.219.194","Tactic": "Taiwaneseburger","Technique": "thesecheese"}} +{"metadata": {"customerIDString": "yourfrailty","offset": -793020454,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "wholebundle","Highlights": ["manyrange"],"MatchedTimestamp": 1686889114000,"RuleId": "significantfoot","RuleName": "herehedge","RuleTopic": "anythingloneliness","RulePriority": "whosechapter","ItemId": "whichcaravan","ItemType": "TYPOSQUATTING","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "theirmusician","offset": -873652378,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "couplefashion","IncidentDescription": "pod coupleracism","Severity": 78,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "hundredtrade","UserName": "wearyrange","EndpointName": "severalhand","EndpointIp": "107.73.28.194","Category": "Detections","NumbersOfAlerts": -1628927342,"NumberOfCompromisedEntities": -1589325642,"State": "DISMISS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/cruelwisp?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "nocongregation","offset": -473597939,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "thesehost","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\wheremurder","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "assistance quantity leap range cackle notebook necklace failure cast cup towel pride part salt child band leap bus courage party trip mybush","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whatlemon?_cid=xxxxxxx","FileName": "eithertail","FilePath": "insufficientfreezer\\eithertail","FilesAccessed": [{"FileName": "eithertail","FilePath": "insufficientfreezer\\eithertail","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "eithertail","FilePath": "insufficientfreezer\\eithertail","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\nonebunch","GrandParentImageFileName": "anyoneheap","GrandParentImageFilePath": "gorgeouseffect\\anyoneheap","HostGroups": "hundredlove","Hostname": "substantialbowl","LocalIP": "70.56.189.48","LocalIPv6": "191.77.79.78","LogonDomain": "heavilytribe","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "thosemotherhood","Name": "muddyleg","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1523947815,"ConnectionDirection": 2,"IsIPV6": true,"LocalAddress": "50.155.178.116","LocalPort": 17792,"Protocol": "onefrock","RemoteAddress": "126.236.243.158","RemotePort": 54920}],"Objective": "greenjewelry","ParentCommandLine": "C:\\Windows\\impromptureel\\theirrange","ParentImageFileName": "theirrange","ParentImageFilePath": "yourchicken\\theirrange","ParentProcessId": 1209494877,"PatternDispositionDescription": "forest case rubbish solitude divorce life day steak packet generosity field group harm set way plant eachtribe","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": false,"KillActionFailed": true,"KillParent": true,"KillProcess": false,"KillSubProcess": false,"OperationBlocked": true,"PolicyDisabled": false,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": true,"SensorOnly": true,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": -1416433354,"PatternId": -310322465,"PlatformId": "Bismarckiancompany","PlatformName": "Mac","ProcessEndTime": -234214285,"ProcessId": 41147750,"ProcessStartTime": -934921982,"ReferrerUrl": "over therecompany","SHA1String": "wherebattery","SHA256String": "Cambodianperson","Severity": 45,"SeverityName": "Critical","SourceProducts": "delightfulrange","SourceVendors": "Icelandicman","Tactic": "whygoal","Technique": "thatring","Type": "ldt","UserName": "itsfriendship"}} +{"metadata": {"customerIDString": "numerousomen","offset": 188460579,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "heavilypack","HostnameField": "Swisscollection","UserName": "thereirritation","StartTimestamp": 1582830734,"AgentIdString": "heavilywoman"}} +{"metadata": {"customerIDString": "South Americantolerance","offset": -1442300907,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "itglasses","IncidentDescription": "trench coat patience collection trip bill herecastle","Severity": 6,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Lebanesetime","UserName": "thesefarm","EndpointName": "courageousarchipelago","EndpointIp": "223.27.112.86","Category": "Detections","NumbersOfAlerts": 205286678,"NumberOfCompromisedEntities": 74875580,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/yourgirl?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "enoughchildhood","offset": -1047000705,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whichwisdom","Region": "us-west-1","ResourceId": "heavyscold","ResourceIdType": "therescale","ResourceName": "Bahraineancongregation","ResourceCreateTime": 0,"PolicyStatement": "lightfriend","PolicyId": 413473485,"Severity": 61,"SeverityName": "Informational","CloudPlatform": "Guyaneseboat","CloudService": "severalclarity","Disposition": "Failed","ResourceUrl": "oddday","Finding": "howlogic","Tags": [{"Key": "thatmovement","ValueString": "howgown"}],"ReportUrl": "eachhedge","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "Beninesesandwich","offset": 915076709,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "herworld","Highlights": ["so fewband"],"MatchedTimestamp": 1686889114000,"RuleId": "stupidwealth","RuleName": "theseelephant","RuleTopic": "severalfish","RulePriority": "manynutrition","ItemId": "thesehat","ItemType": "LEGACY_TI","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "sufficientbike","offset": 89084100,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "mypoint","IncidentDescription": "chaos eye tiger mob foot entertainment shower chapter congregation river wood candy album scold part lawn paper thoselife","Severity": 16,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "somebelief","UserName": "Norwegianfarm","EndpointName": "Balinesecarrot","EndpointIp": "20.157.171.45","Category": "Detections","NumbersOfAlerts": -656181163,"NumberOfCompromisedEntities": -1843982960,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Polynesiancrew?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Asianriches","offset": 744878699,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "thiscovey","Region": "us-east-1","ResourceId": "itsability","ResourceIdType": "whichteam","ResourceName": "attractivecoffee","ResourceCreateTime": 0,"PolicyStatement": "hercalm","PolicyId": 1562184883,"Severity": 52,"SeverityName": "Low","CloudPlatform": "Turkmennest","CloudService": "severalaunt","Disposition": "Failed","ResourceUrl": "whyguest","Finding": "illday","Tags": [{"Key": "Taiwanesenature","ValueString": "everythinginnocence"}],"ReportUrl": "whyreligion","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "eachbrace","offset": 857788492,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "myparty","IncidentDescription": "village medicine body station party congregation way cast host line woman trend ream grains harvest box gloriousmanagement","Severity": 27,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "anycloud","UserName": "itreel","EndpointName": "severalblouse","EndpointIp": "98.114.143.88","Category": "Detections","NumbersOfAlerts": 2069547470,"NumberOfCompromisedEntities": -346285196,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/theirlove?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Englishwoman","offset": 169267568,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "theseteam","UserIp": "239.47.193.209","OperationName": "updateUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "repulsivefact","ValueString": "over therebale"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "thatkitchen"}}} +{"metadata": {"customerIDString": "theremob","offset": -130794817,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "itscase","HostnameField": "whywork","UserName": "whoseocean","StartTimestamp": 1582830734,"AgentIdString": "hisbow"}} +{"metadata": {"customerIDString": "Kazakhbouquet","offset": -1459938176,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "thosegovernment","PolicyId": -862303071,"PolicyStatement": "onepack","CloudProvider": "couplestand","CloudService": "wittyfact","Severity": 24,"SeverityName": "Low","EventAction": "toohorror","EventSource": "manycovey","EventCreatedTimestamp": 1663011160,"UserId": "Hitlerianstand","UserName": "Peruvianperson","UserSourceIp": "42.99.248.34","Tactic": "whattime","Technique": "hugestack"}} +{"metadata": {"customerIDString": "itpack","offset": -1341880091,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "Americanparty","CustomerId": "whichhail","Ipv": "84.131.14.185","CommandLine": "plenty ofreligion","ConnectionDirection": "2","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": false,"Monitor": false},"HostName": "itcast","ICMPCode": "yourcashier","ICMPType": "friendlyjourney","ImageFileName": "myboard","LocalAddress": "252.116.43.249","LocalPort": "82130","MatchCount": -1801157096,"MatchCountSinceLastReport": -592942918,"NetworkProfile": "hisfailure","PID": "1891097036","PolicyName": "Russianbat","PolicyID": "hundredtroop","Protocol": "foolishfood","RemoteAddress": "164.38.209.104","RemotePort": "64254","RuleAction": "whatlight","RuleDescription": "place wildlife music patrol world school gang monkey choir part howflower","RuleFamilyID": "everythingtroop","RuleGroupName": "hundredsstand","RuleName": "numerousgovernment","RuleId": "howproblem","Status": "manyman","Timestamp": 1751371830,"TreeID": "nobodytime"}} +{"metadata": {"customerIDString": "allteam","offset": -128608230,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "abundantkitchen","MobileDetectionId": 1038837053,"ComputerName": "everybodyteam","UserName": "whattroop","ContextTimeStamp": 1649061056,"DetectId": "jitterydoor","DetectName": "whichwelfare","DetectDescription": "mustering company timing sheaf world truth brilliance goal comfort flock clarity watch band plane darkness posse problem shower week illtablet","Tactic": "vastorange","TacticId": "grumpymustering","Technique": "nobodyannoyance","TechniqueId": "itsfrock","Objective": "Afghanpair","Severity": 24,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/lemonydishonesty?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "nobodyalligator","AndroidAppLabel": "mushybundle","DexFileHashes": "therewealth","ImageFileName": "howriches","AppInstallerInformation": "greatteam","IsBeingDebugged": false,"AndroidAppVersionName": "sufficientadvertising","IsContainerized": true}]}} +{"metadata": {"customerIDString": "unusualplace","offset": -1870564443,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "whatarmy","IncidentDescription": "thing posse fleet group beauty gang hand scheme coldness gang battery mob place gain shower team adult equipment thing bunch dream case thatway","Severity": 51,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "wildgroup","UserName": "whichcar","EndpointName": "dullpoint","EndpointIp": "7.205.115.2","Category": "Detections","NumbersOfAlerts": -1262257511,"NumberOfCompromisedEntities": 992639384,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whosechildhood?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "itbouquet","offset": 6129949,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "everyonebattery","Highlights": ["anyonefield"],"MatchedTimestamp": 1686889114000,"RuleId": "hishost","RuleName": "Peruviangrandfather","RuleTopic": "littleswan","RulePriority": "yourdanger","ItemId": "myhorde","ItemType": "LEGACY_TI","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "lots ofpart","offset": 1037283426,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "so fewbaby","UserIp": "69.1.75.38","OperationName": "resetAuthSecret","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "Turkishbatch","ValueString": "someonenecklace"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "thoseaid"}}} +{"metadata": {"customerIDString": "hisbrilliance","offset": -128771518,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "eagerbattery","UserIp": "157.31.134.135","OperationName": "revokeUserRoles","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "whichgrandmother","ValueString": "Colombianfriendship"}],"Attributes": {"actor_cid": "substantialherbs","actor_user": "manyharm","actor_user_uuid": "hisvilla","app_id": "grievingresearch","saml_assertion": "hiscompany","target_user": "theirfriendship","trace_id": "lightproblem"}}} +{"metadata": {"customerIDString": "everybodybowl","offset": -1144620000,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "mymuster","PolicyId": -1726339930,"PolicyStatement": "enough ofsedge","CloudProvider": "whereline","CloudService": "theirperson","Severity": 97,"SeverityName": "High","EventAction": "howeye","EventSource": "fiercemodel","EventCreatedTimestamp": 1663011160,"UserId": "howthing","UserName": "whichtravel","UserSourceIp": "115.56.203.169","Tactic": "somebodyfear","Technique": "lightadvantage"}} +{"metadata": {"customerIDString": "whosefailure","offset": 2823017,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "yourpod","UserID": "eachnewspaper","ExecutionID": "Laotianboots","ReportID": "yourscooter","ReportName": "allfrailty","ReportType": "theirheat","ReportFileReference": "whatsilence","Status": "nobodyexaltation","StatusMessage": "herparty","ExecutionMetadata": {"ExecutionStart": -1613912222,"ExecutionDuration": 1846147691,"ReportFileName": "impromptubus","ResultCount": 447659694,"ResultID": "Turkishishcollection","SearchWindowStart": 1262880322,"SearchWindowEnd": 593349689}}} +{"metadata": {"customerIDString": "manypod","offset": 1415680558,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Laotiancast","UserIp": "17.103.228.141","OperationName": "createUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "alltrade","ValueString": "heavygrandfather"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "whatposse"}}} +{"metadata": {"customerIDString": "thereparty","offset": 2091174933,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 413575027,"ProcessEndTime": 744337427,"ProcessId": -747455923,"ParentProcessId": -1353657252,"ComputerName": "thesemurder","UserName": "tastyband","DetectName": "Asiangift","DetectDescription": "manyday","Severity": 0,"SeverityName": "Informational","FileName": "thereparty","FilePath": "hermuster\\thereparty","CommandLine": "C:\\Windows\\Sudanesebook","SHA256String": "Canadianlibrary","MD5String": "repulsivewrist","SHA1String": "nonerange","MachineDomain": "anycrowd","NetworkAccesses": [{"AccessType": 2045864891,"AccessTimestamp": 1751371565,"Protocol": "hertroupe","LocalAddress": "175.28.224.152","LocalPort": 49858,"RemoteAddress": "251.235.22.110","RemotePort": 45381,"ConnectionDirection": 1,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/panickedboard?_cid=xxxxxxx","SensorId": "herposse","IOCType": "registry_key","IOCValue": "heavyhospitality","DetectId": "a lotcloud","LocalIP": "36.65.231.175","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "nonefiction","Technique": "thatball","Objective": "whyharvest","PatternDispositionDescription": "team furniture thing party wad part guilt horror book mob block lawn year so fewposse","PatternDispositionValue": -247944075,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": false,"Rooting": false,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "whattroupe","ParentCommandLine": "over therepatrol","GrandparentImageFileName": "carefultrip","GrandparentCommandLine": "howbutter","HostGroups": "kubannest","AssociatedFile": "thisdream","PatternId": 2141955879}} +{"metadata": {"customerIDString": "theircluster","offset": -1130609459,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1801271134,"ProcessEndTime": 1989779501,"ProcessId": -946478599,"ParentProcessId": 367735827,"ComputerName": "thisloss","UserName": "Britishlibrary","DetectName": "eachchicken","DetectDescription": "host field group point bermudas person life care bevy part way crew leap blazer quiver notebook trip stack pen orange lightirritation","Severity": 4,"SeverityName": "Medium","FileName": "severalgrade","FilePath": "whoseprogress\\severalgrade","CommandLine": "C:\\Windows\\anythingparty","SHA256String": "noneplane","MD5String": "franticweek","SHA1String": "somegoodness","MachineDomain": "Barcelonianposse","NetworkAccesses": [{"AccessType": -1489347524,"AccessTimestamp": 1751371565,"Protocol": "thereawareness","LocalAddress": "139.113.62.38","LocalPort": 71472,"RemoteAddress": "229.105.119.123","RemotePort": 79397,"ConnectionDirection": 0,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/wheremachine?_cid=xxxxxxx","SensorId": "howboy","IOCType": "hash_sha256","IOCValue": "heregenetics","DetectId": "Sammarinesechild","LocalIP": "9.153.80.221","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "yourtroop","Technique": "itsentertainment","Objective": "oneemployment","PatternDispositionDescription": "woman strawberry telephone case line pronunciation orchard problem shoulder paper party company fun pack wall quiver fire school hatred fact quiver thing nonebale","PatternDispositionValue": 2000047797,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": false,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "thatfact","ParentCommandLine": "wherestreet","GrandparentImageFileName": "therepain","GrandparentCommandLine": "ourharm","HostGroups": "itsdisregard","AssociatedFile": "somefish","PatternId": 853927344}} +{"metadata": {"customerIDString": "myadvantage","offset": -1987247065,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "nonefailure","MobileDetectionId": 492499962,"ComputerName": "insufficientdisregard","UserName": "hundredstroop","ContextTimeStamp": 1649061056,"DetectId": "improvisedweek","DetectName": "relievedcrew","DetectDescription": "line cat freedom line microscope scold work towel room luxuty airport mouth group harvest woman elephant microscope cash congregation heremagic","Tactic": "ourplace","TacticId": "theirhost","Technique": "yourclass","TechniqueId": "manyfarm","Objective": "ourreligion","Severity": 11,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/pricklingarchitect?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "nobodyboxers","AndroidAppLabel": "Newtonianyard","DexFileHashes": "whatposse","ImageFileName": "bravegroup","AppInstallerInformation": "noneclarity","IsBeingDebugged": false,"AndroidAppVersionName": "thosemouth","IsContainerized": false}]}} +{"metadata": {"customerIDString": "Putinistchild","offset": 547025139,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "whichchoker","Highlights": ["therekindness"],"MatchedTimestamp": 1686889114000,"RuleId": "hisleap","RuleName": "Torontonianclump","RuleTopic": "Tibetanarmy","RulePriority": "everybodyscold","ItemId": "whosejudge","ItemType": "SCRAPPY","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "thesepack","offset": 576302949,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "eachtime","MobileDetectionId": 353638587,"ComputerName": "wherefreedom","UserName": "tamearrow","ContextTimeStamp": 1649061056,"DetectId": "bravebale","DetectName": "eitherhorde","DetectDescription": "religion chaise longue supermarket troupe accommodation danger company cackle caravan day hedge sedge punctuation stress comfort work improvisedcomb","Tactic": "nobodymustering","TacticId": "couplemuster","Technique": "everystand","TechniqueId": "hundredsfact","Objective": "nohand","Severity": 3,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/everyboard?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "doubleperson","AndroidAppLabel": "thatribs","DexFileHashes": "whystress","ImageFileName": "whyclass","AppInstallerInformation": "anyschool","IsBeingDebugged": true,"AndroidAppVersionName": "severalbunch","IsContainerized": false}]}} +{"metadata": {"customerIDString": "a littlesister","offset": 497930223,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "fullleap","State": "open","FineScore": 8.253328187024268,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "thesemob","HostID": "nonepollution","LMHostIDs": ["howidea"],"UserId": "enough ofparty"}} +{"metadata": {"customerIDString": "theregrandmother","offset": -377888476,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "whybevy","State": "closed","FineScore": 2.4581723447643586,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "itscaravan","HostID": "thosegeneration","LMHostIDs": ["Norwegianbrain"],"UserId": "therebrace"}} +{"metadata": {"customerIDString": "anythingteam","offset": -1935320999,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Machiavellianowl","UserIp": "114.202.79.254","OperationName": "changePassword","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "everybodybowl","ValueString": "fewenthusiasm"}],"Attributes": {"actor_cid": "thesearchipelago","actor_user": "howbook","actor_user_uuid": "ouroutfit","app_id": "thattribe","saml_assertion": "muchteam","target_user": "eachslippers","trace_id": "thisway"}}} +{"metadata": {"customerIDString": "thatpagoda","offset": 2063223742,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "hisparty","DetectName": "howream","DetectDescription": "calm team battery cackle umbrella spoon fleet equipment finger justice bunch idea eachtomato","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whoseclass?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 11,"SeverityName": "Critical","Tactic": "mybowl","Technique": "abundantcompany","Objective": "mushypower","SourceAccountDomain": "over thereweek","SourceAccountName": "anythingmuster","SourceAccountObjectSid": "Frenchproblem","SourceEndpointAccountObjectGuid": "wheretime","SourceEndpointAccountObjectSid": "Portuguesepacket","SourceEndpointHostName": "hereemployment","SourceEndpointIpAddress": "201.174.150.217","SourceEndpointSensorId": "drabpyramid","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whygroup","PatternId": 133765209}} +{"metadata": {"customerIDString": "nonegauva","offset": 316797287,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "allinvention","HostnameField": "nonedesk","UserName": "whyteam","StartTimestamp": 1582830734,"AgentIdString": "wherebunch"}} +{"metadata": {"customerIDString": "hereschool","offset": -151133312,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Slovakbowl","PolicyId": -1128670304,"PolicyStatement": "manyleap","CloudProvider": "severalboard","CloudService": "yourgarden","Severity": 41,"SeverityName": "High","EventAction": "whyloss","EventSource": "enough ofreel","EventCreatedTimestamp": 1663011160,"UserId": "sometroop","UserName": "Uzbekcaravan","UserSourceIp": "96.213.136.114","Tactic": "shybrain","Technique": "thatcountry"}} +{"metadata": {"customerIDString": "Iraqifailure","offset": -1166009564,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "herwork","UserIp": "215.199.50.84","OperationName": "grantUserRoles","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "hischildhood","ValueString": "herlie"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "tensejealousy"}}} +{"metadata": {"customerIDString": "eitherchapter","offset": -1005552837,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "whichpoverty","State": "open","FineScore": 0.8797163430774031,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "herday","HostID": "myteam","LMHostIDs": ["gorgeouscalm"],"UserId": "Kazakhreligion"}} +{"metadata": {"customerIDString": "greatstring","offset": 1475365269,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "whichmob","CustomerId": "motionlessheap","Ipv": "213.219.212.194","CommandLine": "Mexicanuncle","ConnectionDirection": "0","EventType": "FirewallRuleIP6Matched","Flags": {"Audit": true,"Log": true,"Monitor": false},"HostName": "everyonebunch","ICMPCode": "whoserain","ICMPType": "smilingdetective","ImageFileName": "wherescale","LocalAddress": "194.18.54.3","LocalPort": "42330","MatchCount": -275661217,"MatchCountSinceLastReport": -1728798315,"NetworkProfile": "whichlove","PID": "1288009452","PolicyName": "someonehedge","PolicyID": "nonegroup","Protocol": "howcardigan","RemoteAddress": "175.98.186.191","RemotePort": "10099","RuleAction": "nicheeye","RuleDescription": "thing batch pod quiver metal mob leap basket coldness troupe butter advertising mustering range thing nurse work dynasty adventurousminute","RuleFamilyID": "sparseluck","RuleGroupName": "littlepatience","RuleName": "itsbody","RuleId": "whichedge","Status": "itslake","Timestamp": 1751371830,"TreeID": "eagerpart"}} +{"metadata": {"customerIDString": "Shakespeareanawareness","offset": 955097522,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "theseheart","Highlights": ["Polishcompany"],"MatchedTimestamp": 1686889114000,"RuleId": "whichbeach","RuleName": "everythingbowl","RuleTopic": "Laotiansnow","RulePriority": "a littleair","ItemId": "thatstream","ItemType": "6G_EXTERNAL","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "lots ofclub","offset": -1462084068,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "therehat","UserID": "manyboard","ExecutionID": "powerlesseye","ReportID": "mushychoir","ReportName": "delightfulpacket","ReportType": "itscloud","ReportFileReference": "arrogantgrowth","Status": "anythingshrimp","StatusMessage": "whichhatred","ExecutionMetadata": {"ExecutionStart": -113504493,"ExecutionDuration": 319132957,"ReportFileName": "wheredynasty","ResultCount": -2023836113,"ResultID": "whyman","SearchWindowStart": -657242877,"SearchWindowEnd": 1977481583}}} +{"metadata": {"customerIDString": "Taiwanesebunch","offset": 1302564661,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "nobodycaravan","UserIp": "93.155.125.188","OperationName": "resetAuthSecret","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "angryline","ValueString": "tensetoy"}],"Attributes": {"actor_cid": "hercinema","actor_user": "ourwoman","actor_user_uuid": "somework","app_id": "everygroup","saml_assertion": "hisjealousy","target_user": "repulsivejourney","trace_id": "nobodyfurniture"}}} +{"metadata": {"customerIDString": "boredfield","offset": -1108903205,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "kindexaltation","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\itstrip","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Cloud","Description": "line number calm fox assistance cinema table gang congregation cackle gang currency pool wisp remote week hedge group group covey group frailty Dutchhost","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hundredslaughter?_cid=xxxxxxx","FileName": "Greekmovement","FilePath": "itspatience\\Greekmovement","FilesAccessed": [{"FileName": "Greekmovement","FilePath": "itspatience\\Greekmovement","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "Greekmovement","FilePath": "itspatience\\Greekmovement","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\perfectsleep","GrandParentImageFileName": "enoughhost","GrandParentImageFilePath": "whykoala\\enoughhost","HostGroups": "Sudanesesweater","Hostname": "allsafety","LocalIP": "123.243.79.106","LocalIPv6": "175.173.153.31","LogonDomain": "severalnumber","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "Portuguesepalm","Name": "couplerange","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 113236423,"ConnectionDirection": 1,"IsIPV6": false,"LocalAddress": "158.133.57.226","LocalPort": 33528,"Protocol": "somefleet","RemoteAddress": "142.155.141.88","RemotePort": 60120}],"Objective": "cutetoothbrush","ParentCommandLine": "C:\\Windows\\yoursalt\\nobodyweather","ParentImageFileName": "nobodyweather","ParentImageFilePath": "shyusage\\nobodyweather","ParentProcessId": -1359678165,"PatternDispositionDescription": "swimming pool stand host mystudent","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": false,"KillActionFailed": false,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": true,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": -2102588479,"PatternId": -469512368,"PlatformId": "whereboard","PlatformName": "Linux","ProcessEndTime": 1390910424,"ProcessId": -1379631775,"ProcessStartTime": 911758269,"ReferrerUrl": "over theretrip","SHA1String": "over therecity","SHA256String": "mystand","Severity": 13,"SeverityName": "Medium","SourceProducts": "itsdivorce","SourceVendors": "defiantteen","Tactic": "South Americanconfusion","Technique": "nonearmy","Type": "ofp","UserName": "theirsoftware"}} +{"metadata": {"customerIDString": "anyoneusage","offset": -1405121981,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "numerousstaff","DataDomains": "Web","Description": "soup brace regiment bale oven book motivation labour dynasty butter school mustering music air party over thereman","DetectId": "coupleposse","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "54.117.159.151","HostNames": "Burkinesecluster","Name": "everybodysink","PatternId": -1890638280,"Severity": 2,"SourceProducts": "wickedpeace","SourceVendors": "youraid","StartTimeEpoch": 1643317697728000000,"TacticIds": "disturbedcluster","Tactics": "whathorror","TechniqueIds": "manyweek","Techniques": "Diabolicalharvest","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "Barbadiancongregation","offset": -1339545627,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "cleversand","DataDomains": "Email","Description": "week range class temple liter flock crib mob cast time gas station troupe person orangelitter","DetectId": "Nepalesefood","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "153.22.103.211","HostNames": "wrongpeace","Name": "oneparty","PatternId": 572958802,"Severity": 66,"SourceProducts": "easywad","SourceVendors": "whichthing","StartTimeEpoch": 1643317697728000000,"TacticIds": "eitherfrog","Tactics": "cruelpatience","TechniqueIds": "everyonebattery","Techniques": "hurtnumber","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "everypad","offset": 794604786,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "wherelibrary","MobileDetectionId": -813741988,"ComputerName": "whatheap","UserName": "wholebasket","ContextTimeStamp": 1649061056,"DetectId": "howdoor","DetectName": "eachbunch","DetectDescription": "basket somewad","Tactic": "whosecrime","TacticId": "pricklingpatience","Technique": "hertraffic","TechniqueId": "halfsnow","Objective": "neitherfreedom","Severity": 22,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whereboard?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "significanthost","AndroidAppLabel": "enoughcast","DexFileHashes": "eachworld","ImageFileName": "whoseleap","AppInstallerInformation": "fewgossip","IsBeingDebugged": false,"AndroidAppVersionName": "whichperson","IsContainerized": false}]}} +{"metadata": {"customerIDString": "grievingwork","offset": 1735509124,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "hispack","Highlights": ["howsafety"],"MatchedTimestamp": 1686889114000,"RuleId": "sparseaunt","RuleName": "whosebeauty","RuleTopic": "thisfuel","RulePriority": "nomilk","ItemId": "wanderingarmy","ItemType": "CS","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "wholecalm","offset": 119058977,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "everythinghappiness","MobileDetectionId": 1790881276,"ComputerName": "itsmagic","UserName": "Swaziset","ContextTimeStamp": 1649061056,"DetectId": "theirfriendship","DetectName": "mychapter","DetectDescription": "success Barbadianpatience","Tactic": "thesepart","TacticId": "mytrench coat","Technique": "Bismarckianproblem","TechniqueId": "noneproduct","Objective": "cheerfulhomework","Severity": 0,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Greekcovey?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "repellingstream","AndroidAppLabel": "Indonesiancompany","DexFileHashes": "thatposse","ImageFileName": "thesechoir","AppInstallerInformation": "wholescold","IsBeingDebugged": false,"AndroidAppVersionName": "thosedarkness","IsContainerized": true}]}} +{"metadata": {"customerIDString": "whoseidea","offset": 429948887,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "itman","UserID": "myman","ExecutionID": "couplebrace","ReportID": "somebodyappetite","ReportName": "itvillage","ReportType": "Laotiantiger","ReportFileReference": "heavilygroup","Status": "smilingwisp","StatusMessage": "anyonehedge","ExecutionMetadata": {"ExecutionStart": 116137639,"ExecutionDuration": -1503286001,"ReportFileName": "someboard","ResultCount": -2104069598,"ResultID": "Dutchcontent","SearchWindowStart": 744397747,"SearchWindowEnd": -178323514}}} +{"metadata": {"customerIDString": "Spanishcrew","offset": 914702321,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "anyonebunch","PolicyId": 1444123637,"PolicyStatement": "muchcare","CloudProvider": "fewgovernment","CloudService": "allintelligence","Severity": 95,"SeverityName": "High","EventAction": "theirtroop","EventSource": "wherehorde","EventCreatedTimestamp": 1663011160,"UserId": "noneperson","UserName": "wherearmy","UserSourceIp": "161.114.44.124","Tactic": "heregrowth","Technique": "enoughfailure"}} +{"metadata": {"customerIDString": "someonealligator","offset": 860688524,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "theirpoint","CustomerId": "abundantbed","Ipv": "91.28.150.14","CommandLine": "herehelp","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": true},"HostName": "Colombiancane","ICMPCode": "whyjustice","ICMPType": "anythingarmy","ImageFileName": "terriblecatalog","LocalAddress": "117.250.17.164","LocalPort": "77788","MatchCount": -1192201294,"MatchCountSinceLastReport": 1317194809,"NetworkProfile": "itteam","PID": "2145148567","PolicyName": "abundantfreedom","PolicyID": "wherewater","Protocol": "Sudanesepod","RemoteAddress": "89.158.1.159","RemotePort": "67431","RuleAction": "nicehappiness","RuleDescription": "guilt orchard gossip year oxygen pod nest nest crime bridge chapter progress peace flock class parfume market government singlequiver","RuleFamilyID": "everythingluxuty","RuleGroupName": "Peruviancravat","RuleName": "itsgang","RuleId": "gorgeoushappiness","Status": "wholeliterature","Timestamp": 1751371830,"TreeID": "wherebrother"}} +{"metadata": {"customerIDString": "wheretrench coat","offset": 396827393,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "a littlewisdom","HostnameField": "whygirl","UserName": "tensetiming","StartTimestamp": 1582830734,"AgentIdString": "oneobesity"}} +{"metadata": {"customerIDString": "nobodyconfusion","offset": -2046425906,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "homelessbookstore","UserIp": "175.43.209.29","OperationName": "changePassword","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "itsjourney","ValueString": "whylitter"}],"Attributes": {"actor_cid": "myeye","actor_user": "anyinvention","actor_user_uuid": "whoselie","app_id": "heavyhelp","saml_assertion": "fewanger","target_user": "itbat","trace_id": "thosedynasty"}}} +{"metadata": {"customerIDString": "ourbunch","offset": 660537174,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "Spanishhour","DetectName": "numerouscompany","DetectDescription": "road racism quiver tiger library team pain advantage congregation fewworld","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/heavymarriage?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 80,"SeverityName": "High","Tactic": "anygroup","Technique": "anyreligion","Objective": "Beninesedeskpath","SourceAccountDomain": "a little bithappiness","SourceAccountName": "Frenchsnow","SourceAccountObjectSid": "toomercy","SourceEndpointAccountObjectGuid": "mostdetermination","SourceEndpointAccountObjectSid": "thesepicture","SourceEndpointHostName": "Brazilianeye","SourceEndpointIpAddress": "72.145.251.171","SourceEndpointSensorId": "sparseball","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whyfiction","PatternId": 1014331507}} +{"metadata": {"customerIDString": "severalcare","offset": 1342695248,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "amusedpencil","State": "open","FineScore": 0.7641910996681891,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "Balinesehorde","HostID": "eachcomb","LMHostIDs": ["numerousbrilliance"],"UserId": "enough ofpack"}} +{"metadata": {"customerIDString": "wrongmob","offset": -422176460,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "comfortablesedge","DetectName": "kubanfleet","DetectDescription": "relaxation shoulder door band method noun deceit tolerance childhood elegance dentist loneliness day church usage production entertainment whyirritation","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/somevillage?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 4,"SeverityName": "Informational","Tactic": "unusualposse","Technique": "everyoneroom","Objective": "histoy","SourceAccountDomain": "heresugar","SourceAccountName": "fantasticmouth","SourceAccountObjectSid": "over theregovernment","SourceEndpointAccountObjectGuid": "whereposse","SourceEndpointAccountObjectSid": "itsteam","SourceEndpointHostName": "whatlabour","SourceEndpointIpAddress": "85.158.225.79","SourceEndpointSensorId": "herehomework","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whatgenetics","PatternId": -850535251}} +{"metadata": {"customerIDString": "whoseold age","offset": -734314513,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "heremethod","State": "closed","FineScore": 7.4072197893040554,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "whichhorror","HostID": "hiscoldness","LMHostIDs": ["thatpack"],"UserId": "helpfulcongregation"}} +{"metadata": {"customerIDString": "therepack","offset": 1274480458,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "hisfuel","HostnameField": "fewgoal","UserName": "Polynesiangate","StartTimestamp": 1582830734,"AgentIdString": "whyyear"}} +{"metadata": {"customerIDString": "mybattery","offset": 646949587,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "hugeaircraft","IncidentDescription": "leap crib patrol life childhood caravan fire album congregation government board cello data couplebus","Severity": 87,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Putinistchest","UserName": "everybodyfather","EndpointName": "whichteam","EndpointIp": "217.37.208.88","Category": "Detections","NumbersOfAlerts": -1957530576,"NumberOfCompromisedEntities": 1981982712,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whatcongregation?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Koreanscold","offset": 1802688676,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "theirhand","DataDomains": "Cloud","Description": "wisdom woman orange cleanmuster","DetectId": "itssheaf","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "12.139.167.121","HostNames": "browndynasty","Name": "Burmesegeneration","PatternId": 610471078,"Severity": 100,"SourceProducts": "itsboard","SourceVendors": "nonepublicity","StartTimeEpoch": 1643317697728000000,"TacticIds": "eachflock","Tactics": "gooddream","TechniqueIds": "a littleproblem","Techniques": "herhost","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "littlefact","offset": -1311502076,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "theiridea","IncidentDescription": "irritation hand mob week Taiwanesewealth","Severity": 58,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "fullcorner","UserName": "hispod","EndpointName": "everybodyfather","EndpointIp": "66.207.42.96","Category": "Detections","NumbersOfAlerts": 1444919827,"NumberOfCompromisedEntities": 1419946186,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/everybodybundle?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Intelligentdream","offset": -294987382,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "everyonegenerosity","UserID": "excitingposse","ExecutionID": "Turkmenbevy","ReportID": "Polishday","ReportName": "hugemurder","ReportType": "hurtbox","ReportFileReference": "mycatalog","Status": "Himalayananswer","StatusMessage": "howboat","ExecutionMetadata": {"ExecutionStart": 125781275,"ExecutionDuration": 1746585042,"ReportFileName": "sorewoman","ResultCount": 1298993366,"ResultID": "magnificentweek","SearchWindowStart": 1195611967,"SearchWindowEnd": -1416647402}}} +{"metadata": {"customerIDString": "hispyramid","offset": -1623127264,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "anycompany","UserIp": "121.140.140.29","OperationName": "revokeUserRoles","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "disgustingsmile","ValueString": "therecatalog"}],"Attributes": {"actor_cid": "herelove","actor_user": "thosebush","actor_user_uuid": "wheresmoke","app_id": "alltruck","saml_assertion": "anyonemurder","target_user": "Cambodianline","trace_id": "nonevision"}}} +{"metadata": {"customerIDString": "allbox","offset": -989631340,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "thatdynasty","DataDomains": "Cloud","Description": "leap mouth book number regiment stand hand warmth hisfactory","DetectId": "howgroup","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "143.41.121.16","HostNames": "manylife","Name": "herposse","PatternId": -634411481,"Severity": 34,"SourceProducts": "Gabonesemob","SourceVendors": "heavilyhost","StartTimeEpoch": 1643317697728000000,"TacticIds": "theirmuster","Tactics": "Greekbrother","TechniqueIds": "whichmovement","Techniques": "herexaltation","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "ourhost","offset": 1465205101,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "significantegg","UserIp": "206.10.189.0","OperationName": "twoFactorAuthenticate","ServiceName": "detections","AuditKeyValues": [{"Key": "myparty","ValueString": "theirarchipelago"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "anythingadvertising"}}} +{"metadata": {"customerIDString": "fineparty","offset": 943850327,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "thatanimal","CustomerId": "ourgroup","Ipv": "78.151.91.127","CommandLine": "yourpart","ConnectionDirection": "0","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": true,"Log": true,"Monitor": true},"HostName": "Costa Ricanlife","ICMPCode": "Intelligentomen","ICMPType": "everythingnest","ImageFileName": "selfishfact","LocalAddress": "231.218.60.115","LocalPort": "89044","MatchCount": 446877245,"MatchCountSinceLastReport": -2043254590,"NetworkProfile": "somesister","PID": "-1529239543","PolicyName": "gentlebasket","PolicyID": "myfilm","Protocol": "fullscold","RemoteAddress": "159.20.51.154","RemotePort": "46914","RuleAction": "Machiavelliancaravan","RuleDescription": "hail poverty product loneliness accident crew luxuty somecoat","RuleFamilyID": "Portuguesecongregation","RuleGroupName": "Freudiangalaxy","RuleName": "theseline","RuleId": "hishorde","Status": "everythingright","Timestamp": 1751371830,"TreeID": "herriches"}} +{"metadata": {"customerIDString": "Spanishpasta","offset": -893484579,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "South Americancomputer","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\allbike","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Cloud","Description": "software horror health range toy divorce monkey pack way bevy piano child library person pencil plant luxury fact line river point whosebundle","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/eachparfume?_cid=xxxxxxx","FileName": "Atlantickitchen","FilePath": "manyhorde\\Atlantickitchen","FilesAccessed": [{"FileName": "Atlantickitchen","FilePath": "manyhorde\\Atlantickitchen","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "Atlantickitchen","FilePath": "manyhorde\\Atlantickitchen","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\hownest","GrandParentImageFileName": "thatcrew","GrandParentImageFilePath": "mypower\\thatcrew","HostGroups": "wherepack","Hostname": "Cormoranfreedom","LocalIP": "26.204.128.213","LocalIPv6": "123.139.218.209","LogonDomain": "enthusiasticslavery","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "hissolitude","Name": "anythingchest","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1891697848,"ConnectionDirection": 1,"IsIPV6": false,"LocalAddress": "72.41.21.152","LocalPort": 12725,"Protocol": "blushinghost","RemoteAddress": "34.137.196.93","RemotePort": 63805}],"Objective": "heremoney","ParentCommandLine": "C:\\Windows\\enough ofbaby\\thislife","ParentImageFileName": "thislife","ParentImageFilePath": "hundredscackle\\thislife","ParentProcessId": 465916269,"PatternDispositionDescription": "murder farm bowl posse time pack cheese pod range group weekend galaxy posse Frenchgrandfather","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": false,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": false,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": true,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": 1517456504,"PatternId": 390838794,"PlatformId": "Putinistflock","PlatformName": "Linux","ProcessEndTime": -744832380,"ProcessId": -1241385214,"ProcessStartTime": 1826349955,"ReferrerUrl": "doubleday","SHA1String": "ourschool","SHA256String": "uptightyear","Severity": 74,"SeverityName": "Informational","SourceProducts": "jitterypasta","SourceVendors": "whichplane","Tactic": "whatcandy","Technique": "Indonesianchild","Type": "ldt","UserName": "ourhappiness"}} +{"metadata": {"customerIDString": "Bismarckianstring","offset": 1485071988,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "ourwit","UserID": "Koreanspeed","ExecutionID": "anyonecomb","ReportID": "thereclump","ReportName": "herstaff","ReportType": "howphone","ReportFileReference": "yourarrow","Status": "Guyaneseperson","StatusMessage": "herewisp","ExecutionMetadata": {"ExecutionStart": -744689264,"ExecutionDuration": -1246961732,"ReportFileName": "Danishcompany","ResultCount": -2085098264,"ResultID": "manysalt","SearchWindowStart": -1006835044,"SearchWindowEnd": 885943863}}} +{"metadata": {"customerIDString": "heavilymodel","offset": -309080009,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "someriver","IncidentDescription": "vehicle music comfort line party disregard pack thatdamage","Severity": 63,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Lilliputianforest","UserName": "thatschool","EndpointName": "Greekjoy","EndpointIp": "206.49.254.21","Category": "Detections","NumbersOfAlerts": 1923521815,"NumberOfCompromisedEntities": 1895439142,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/yourpain?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "thisdata","offset": 545701328,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "enchantedcourage","PolicyId": 492517383,"PolicyStatement": "South Americanhammer","CloudProvider": "wherenoun","CloudService": "theirpark","Severity": 15,"SeverityName": "High","EventAction": "toopack","EventSource": "emptywad","EventCreatedTimestamp": 1663011160,"UserId": "whichweek","UserName": "blackweek","UserSourceIp": "48.144.197.150","Tactic": "somecase","Technique": "Lebanesecase"}} +{"metadata": {"customerIDString": "angrynumber","offset": -489848778,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "itstribe","UserIp": "142.24.129.115","OperationName": "twoFactorAuthenticate","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "whatschool","ValueString": "Gaussiancompany"}],"Attributes": {"actor_cid": "poisedscold","actor_user": "Peruvianhall","actor_user_uuid": "howscold","app_id": "theirimagination","saml_assertion": "whatteam","target_user": "itsmovement","trace_id": "howhealth"}}} +{"metadata": {"customerIDString": "Guyanesefan","offset": 277731204,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "defiantstand","UserIp": "98.49.13.100","OperationName": "updateUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "whosehead","ValueString": "Salvadoreanleap"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "splendidcongregation"}}} +{"metadata": {"customerIDString": "enough ofnumber","offset": 781713828,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 2014971318,"ProcessEndTime": -1424813573,"ProcessId": 641627741,"ParentProcessId": -2093466398,"ComputerName": "wholehost","UserName": "thisoutfit","DetectName": "itsbrilliance","DetectDescription": "unemployment year brilliance bunch case woman child jumper room chocolate week scold poverty band advantage board crowd river eithersand","Severity": 0,"SeverityName": "Medium","FileName": "hisdisregard","FilePath": "herecrew\\hisdisregard","CommandLine": "C:\\Windows\\Madagascanfriendship","SHA256String": "substantialspoon","MD5String": "whereflag","SHA1String": "ourowl","MachineDomain": "clumsyband","NetworkAccesses": [{"AccessType": -124367159,"AccessTimestamp": 1751371565,"Protocol": "scenicmob","LocalAddress": "52.61.70.71","LocalPort": 36507,"RemoteAddress": "170.126.247.116","RemotePort": 50106,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thesearrow?_cid=xxxxxxx","SensorId": "anyscissors","IOCType": "hash_md5","IOCValue": "itcorner","DetectId": "beautifuldetermination","LocalIP": "55.240.128.142","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "lightperson","Technique": "hercurrency","Objective": "uninterestedsedge","PatternDispositionDescription": "quality stand wit apartment longbrace","PatternDispositionValue": -460138786,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": true,"SensorOnly": false,"Rooting": true,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "everythingmonkey","ParentCommandLine": "neitherface","GrandparentImageFileName": "pricklinghorde","GrandparentCommandLine": "Belgianbunch","HostGroups": "theirheat","AssociatedFile": "whosepeace","PatternId": 480175611}} +{"metadata": {"customerIDString": "over therelove","offset": 1707718174,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "hundredsclass","UserIp": "29.6.21.146","OperationName": "createUser","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "everyonestupidity","ValueString": "substantialjustice"}],"Attributes": {"actor_cid": "herclass","actor_user": "theirthought","actor_user_uuid": "fewemployment","app_id": "Rooseveltiantribe","saml_assertion": "defiantschool","target_user": "nonephotographer","trace_id": "anycloud"}}} +{"metadata": {"customerIDString": "yourring","offset": 389228953,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "everythingmember","MobileDetectionId": 1329334806,"ComputerName": "Diabolicalperson","UserName": "finecloud","ContextTimeStamp": 1649061056,"DetectId": "hisbowl","DetectName": "enough ofroad","DetectDescription": "picture grandfather number field idea cloud horde team idea fuel gang anyonestaff","Tactic": "friendlybox","TacticId": "theirsink","Technique": "whatnewspaper","TechniqueId": "itcaravan","Objective": "yourlie","Severity": 18,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Madagascanfather?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "zealouspack","AndroidAppLabel": "nervousspeed","DexFileHashes": "howhappiness","ImageFileName": "tiredbrilliance","AppInstallerInformation": "eagersister","IsBeingDebugged": false,"AndroidAppVersionName": "substantialheap","IsContainerized": true}]}} +{"metadata": {"customerIDString": "Madagascandriver","offset": -156491846,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "theireye","Highlights": ["queermotherhood"],"MatchedTimestamp": 1686889114000,"RuleId": "theirwound","RuleName": "Confuciannose","RuleTopic": "Colombianpatrol","RulePriority": "itmob","ItemId": "howcrew","ItemType": "LEGACY_TI","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "severalwall","offset": 1540072795,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "thesebevy","UserID": "significantteam","ExecutionID": "insufficientmanagement","ReportID": "oneantlers","ReportName": "fewhail","ReportType": "itsirritation","ReportFileReference": "whatlake","Status": "itspod","StatusMessage": "charmingregiment","ExecutionMetadata": {"ExecutionStart": 637627792,"ExecutionDuration": 1854835916,"ReportFileName": "allbouquet","ResultCount": -2060549350,"ResultID": "myfather","SearchWindowStart": -403925386,"SearchWindowEnd": -848128035}}} +{"metadata": {"customerIDString": "whereracism","offset": -1319618271,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "theseband","UserIp": "163.242.55.162","OperationName": "deleteUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "severalcrew","ValueString": "thereheat"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "severalcrowd"}}} +{"metadata": {"customerIDString": "thatpacket","offset": -637020247,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "theirclump","PolicyId": -2135732859,"PolicyStatement": "whichchild","CloudProvider": "therehail","CloudService": "whybowl","Severity": 86,"SeverityName": "Critical","EventAction": "couplework","EventSource": "Welshdresser","EventCreatedTimestamp": 1663011160,"UserId": "yourleap","UserName": "somebodycare","UserSourceIp": "19.117.240.184","Tactic": "thisdamage","Technique": "relievedpleasure"}} +{"metadata": {"customerIDString": "numerousarmy","offset": -338129624,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "myparty","IncidentDescription": "packet economics child economics gold choir cackle day posse rice muster pollution hail tea trend crowd muster case razor album cash Einsteinianarchipelago","Severity": 78,"SeverityName": "High","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "thereream","UserName": "nobodychest","EndpointName": "wherefire","EndpointIp": "17.198.246.183","Category": "Detections","NumbersOfAlerts": -264134745,"NumberOfCompromisedEntities": 920309085,"State": "DISMISS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hisalbum?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "itsadult","offset": -1927607874,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "howhand","UserID": "wherewad","ExecutionID": "Bahamiancleverness","ReportID": "Burmesewisp","ReportName": "itschoir","ReportType": "littleweek","ReportFileReference": "somecloud","Status": "plenty oftribe","StatusMessage": "over therebasket","ExecutionMetadata": {"ExecutionStart": 900858946,"ExecutionDuration": 1334923198,"ReportFileName": "whatspaghetti","ResultCount": 1571375116,"ResultID": "whywisdom","SearchWindowStart": -1206305095,"SearchWindowEnd": -1395374622}}} +{"metadata": {"customerIDString": "anymuster","offset": 175335442,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "wholechildhood","IncidentDescription": "mouse towel pyramid year motor regiment daughter bale battery sandals line inexpensivemurder","Severity": 38,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "itswelfare","UserName": "thereweek","EndpointName": "thattrip","EndpointIp": "173.136.247.123","Category": "Incidents","NumbersOfAlerts": -116047183,"NumberOfCompromisedEntities": 733697580,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whosefire?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "wherehousework","offset": 1680558861,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "tooparty","UserID": "thatarmy","ExecutionID": "Shakespeareanslavery","ReportID": "Einsteiniancoat","ReportName": "whichtime","ReportType": "yellownest","ReportFileReference": "fullgang","Status": "whosefact","StatusMessage": "thattroop","ExecutionMetadata": {"ExecutionStart": 1159831550,"ExecutionDuration": 1995957505,"ReportFileName": "thisbatch","ResultCount": -1490727767,"ResultID": "wherecrew","SearchWindowStart": -2091742616,"SearchWindowEnd": 1408069491}}} +{"metadata": {"customerIDString": "halfcalm","offset": -1427582267,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "thisjudge","PolicyId": 1096303979,"PolicyStatement": "over thereturtle","CloudProvider": "littleshoulder","CloudService": "thattroop","Severity": 79,"SeverityName": "Low","EventAction": "cleverparty","EventSource": "anybike","EventCreatedTimestamp": 1663011160,"UserId": "inexpensivebattery","UserName": "Darwinianarchitect","UserSourceIp": "119.98.56.233","Tactic": "thoserestaurant","Technique": "Taiwaneselabour"}} +{"metadata": {"customerIDString": "someholiday","offset": 1570491927,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "fewpotato","Highlights": ["Italianbed"],"MatchedTimestamp": 1686889114000,"RuleId": "Sri-Lankanproblem","RuleName": "therecousin","RuleTopic": "Danishjoy","RulePriority": "thoseartist","ItemId": "whosetroop","ItemType": "SCRAPPY","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "Einsteiniangrains","offset": -1732787801,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "Gabonesecompany","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\enthusiasticuncle","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Identity","Description": "staff scold childhood fun problem page toothbrush hismuster","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/busycorruption?_cid=xxxxxxx","FileName": "enough ofknowledge","FilePath": "fewweather\\enough ofknowledge","FilesAccessed": [{"FileName": "enough ofknowledge","FilePath": "fewweather\\enough ofknowledge","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "enough ofknowledge","FilePath": "fewweather\\enough ofknowledge","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\badwisp","GrandParentImageFileName": "wherecompany","GrandParentImageFilePath": "howchair\\wherecompany","HostGroups": "theirream","Hostname": "mynest","LocalIP": "147.20.149.138","LocalIPv6": "114.145.127.20","LogonDomain": "itsparty","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "mycatalog","Name": "insufficientelectricity","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1802210092,"ConnectionDirection": 0,"IsIPV6": false,"LocalAddress": "71.185.194.181","LocalPort": 59560,"Protocol": "everybodylaughter","RemoteAddress": "101.230.28.62","RemotePort": 76857}],"Objective": "thesesuccess","ParentCommandLine": "C:\\Windows\\mostcastle\\whosephone","ParentImageFileName": "whosephone","ParentImageFilePath": "charmingwoman\\whosephone","ParentProcessId": 1065827657,"PatternDispositionDescription": "collection woman horde mob severalmuster","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": true,"CriticalProcessDisabled": true,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": true,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": false,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": 1116723532,"PatternId": 757487647,"PlatformId": "someverb","PlatformName": "Linux","ProcessEndTime": 1507380857,"ProcessId": -1813423510,"ProcessStartTime": 475295942,"ReferrerUrl": "onejustice","SHA1String": "agreeablevillage","SHA256String": "thatcompany","Severity": 60,"SeverityName": "Informational","SourceProducts": "hergain","SourceVendors": "purpleexaltation","Tactic": "cheerfulassistance","Technique": "therejersey","Type": "ofp","UserName": "Cambodianshower"}} +{"metadata": {"customerIDString": "herelighter","offset": 810871818,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "somebodycomb","UserIp": "88.207.85.114","OperationName": "updateUserRoles","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "lightbatch","ValueString": "Romaniancase"}],"Attributes": {"actor_cid": "whichmob","actor_user": "whereappetite","actor_user_uuid": "mytroupe","app_id": "littleidea","saml_assertion": "Madagascanjustice","target_user": "hundredyouth","trace_id": "yourcaravan"}}} +{"metadata": {"customerIDString": "purpletomatoes","offset": -1854554253,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "whichadvantage","DetectName": "whydog","DetectDescription": "town group book catalog hedge bevy truth troop case way energy heremetal","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/badgroup?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 97,"SeverityName": "Medium","Tactic": "whattissue","Technique": "manyteam","Objective": "hiscompany","SourceAccountDomain": "somebodyjob","SourceAccountName": "howline","SourceAccountObjectSid": "Lilliputiandynasty","SourceEndpointAccountObjectGuid": "Britishproduct","SourceEndpointAccountObjectSid": "eachhand","SourceEndpointHostName": "whywashing machine","SourceEndpointIpAddress": "194.53.21.15","SourceEndpointSensorId": "cooperativewoman","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "Cypriotway","PatternId": -1731590592}} +{"metadata": {"customerIDString": "hispouch","offset": 1916163763,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "severalcompany","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\itsunion","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Identity","Description": "apartment harvest eye luxuty bale class muchchair","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hershower?_cid=xxxxxxx","FileName": "everythingpunctuation","FilePath": "anythingcleverness\\everythingpunctuation","FilesAccessed": [{"FileName": "everythingpunctuation","FilePath": "anythingcleverness\\everythingpunctuation","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "everythingpunctuation","FilePath": "anythingcleverness\\everythingpunctuation","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\shyelegance","GrandParentImageFileName": "somecaptain","GrandParentImageFilePath": "nobodyhorde\\somecaptain","HostGroups": "a lottroop","Hostname": "everyonebook","LocalIP": "129.90.65.50","LocalIPv6": "67.129.132.111","LogonDomain": "howluggage","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "myunderstanding","Name": "anyoneconfusion","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1715370835,"ConnectionDirection": 1,"IsIPV6": false,"LocalAddress": "47.242.121.249","LocalPort": 64766,"Protocol": "whygrowth","RemoteAddress": "218.221.4.175","RemotePort": 4899}],"Objective": "tamemustering","ParentCommandLine": "C:\\Windows\\nervousarmy\\Hinduostrich","ParentImageFileName": "Hinduostrich","ParentImageFilePath": "nobodycrew\\Hinduostrich","ParentProcessId": 496739043,"PatternDispositionDescription": "music crowd number block dynasty museum bowl coldness pair weight host company muster person husband cleverness hand island problem trip coffee time mygroup","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": true,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": false,"KillActionFailed": false,"KillParent": false,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": true,"SuspendParent": false,"SuspendProcess": true},"PatternDispositionValue": 274275370,"PatternId": 1713484901,"PlatformId": "thatnature","PlatformName": "Windows","ProcessEndTime": -423582367,"ProcessId": 1362576839,"ProcessStartTime": -1243653454,"ReferrerUrl": "yourvilla","SHA1String": "improvisedrange","SHA256String": "Russiandream","Severity": 17,"SeverityName": "Low","SourceProducts": "hundredsstack","SourceVendors": "Einsteinianadvantage","Tactic": "severalboy","Technique": "Antarcticegg","Type": "ldt","UserName": "so fewshorts"}} +{"metadata": {"customerIDString": "glorioustelevision","offset": 1937096872,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "hercackle","CustomerId": "manybook","Ipv": "106.178.30.162","CommandLine": "over thereweight","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": true,"Monitor": false},"HostName": "itbrace","ICMPCode": "itarmy","ICMPType": "over theretown","ImageFileName": "Nepalesegrowth","LocalAddress": "157.226.200.52","LocalPort": "24178","MatchCount": -913847416,"MatchCountSinceLastReport": -1802071189,"NetworkProfile": "eachidea","PID": "-883383240","PolicyName": "doublecompany","PolicyID": "Bangladeshinumber","Protocol": "fulldisregard","RemoteAddress": "190.114.159.219","RemotePort": "85977","RuleAction": "theirgun","RuleDescription": "luxury market underwear leap union right canoe world party problem ream choir catalog effect bunch pack week stairs staff stand party importance Finnishbus","RuleFamilyID": "whichluck","RuleGroupName": "nobodyweek","RuleName": "somegroup","RuleId": "Britishmuster","Status": "fullviolence","Timestamp": 1751371830,"TreeID": "everybodymuster"}} +{"metadata": {"customerIDString": "manyfleet","offset": 1169938770,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "obedientphotographer","DetectName": "wherebus","DetectDescription": "cane board wood scissors ball envy host party class group ball pride piano caravan happiness gossip part whatorange","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/alllibrary?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 18,"SeverityName": "Low","Tactic": "whatmotherhood","Technique": "Senegalesetrip","Objective": "theretea","SourceAccountDomain": "Iraqitolerance","SourceAccountName": "cleanroom","SourceAccountObjectSid": "couplecompany","SourceEndpointAccountObjectGuid": "wherescold","SourceEndpointAccountObjectSid": "tooconditioner","SourceEndpointHostName": "somefact","SourceEndpointIpAddress": "56.83.63.203","SourceEndpointSensorId": "Brazilianstring","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "thiscongregation","PatternId": -1256237764}} +{"metadata": {"customerIDString": "hergang","offset": 512065216,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "theirhedge","UserID": "scenicsock","ExecutionID": "cleancompany","ReportID": "so fewreligion","ReportName": "whichquiver","ReportType": "tenseteam","ReportFileReference": "Iraqigeneration","Status": "cleverhand","StatusMessage": "coupleuncle","ExecutionMetadata": {"ExecutionStart": 1765346244,"ExecutionDuration": -654156777,"ReportFileName": "comfortablecovey","ResultCount": -1585726216,"ResultID": "ourcardigan","SearchWindowStart": -578749749,"SearchWindowEnd": -1949776905}}} +{"metadata": {"customerIDString": "whichmessage","offset": -1708869937,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "Elizabethancomb","State": "closed","FineScore": 3.5560299510671025,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "hereshop","HostID": "yourcackle","LMHostIDs": ["whyeducation"],"UserId": "Orwelliancase"}} +{"metadata": {"customerIDString": "proudaid","offset": 593724173,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "severalpair","State": "open","FineScore": 4.274128535370408,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "someonecurrency","HostID": "lightproduction","LMHostIDs": ["thiscovey"],"UserId": "Finnishcompany"}} +{"metadata": {"customerIDString": "Taiwanesewealth","offset": -1952296304,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "onegovernment","HostnameField": "anyvision","UserName": "whynumber","StartTimestamp": 1582830734,"AgentIdString": "Middle Easternfrog"}} +{"metadata": {"customerIDString": "nophilosophy","offset": -1950030235,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 933310372,"ProcessEndTime": -656887118,"ProcessId": -279016116,"ParentProcessId": -1541940696,"ComputerName": "condemnedsilence","UserName": "littleflour","DetectName": "plenty ofnutrition","DetectDescription": "newspaper country staff wrist sleep wheat tribe infancy nervousleisure","Severity": 0,"SeverityName": "Informational","FileName": "onemanagement","FilePath": "allcollection\\onemanagement","CommandLine": "C:\\Windows\\Alaskanvision","SHA256String": "Finnishpagoda","MD5String": "over theretime","SHA1String": "thereshock","MachineDomain": "friendlything","NetworkAccesses": [{"AccessType": 1118182597,"AccessTimestamp": 1751371565,"Protocol": "Englishstring","LocalAddress": "175.37.189.53","LocalPort": 53819,"RemoteAddress": "130.123.227.121","RemotePort": 35318,"ConnectionDirection": 2,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/severalwoman?_cid=xxxxxxx","SensorId": "Spanishgeneration","IOCType": "domain","IOCValue": "numerousworld","DetectId": "gracefulhouse","LocalIP": "27.155.64.24","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "herefriendship","Technique": "energetichatred","Objective": "herbunch","PatternDispositionDescription": "catalog city research singer tribe handsomeclass","PatternDispositionValue": 1006414644,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": false,"SensorOnly": false,"Rooting": false,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "itsroad","ParentCommandLine": "Thatcheritemurder","GrandparentImageFileName": "a littlescale","GrandparentCommandLine": "plenty oflabour","HostGroups": "heavyaunt","AssociatedFile": "over thererubbish","PatternId": -2005874962}} +{"metadata": {"customerIDString": "wittysleep","offset": 1412438253,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "Gaussianman","State": "open","FineScore": 0.6186911314386832,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "wholecaravan","HostID": "whichstand","LMHostIDs": ["howfriendship"],"UserId": "thesething"}} +{"metadata": {"customerIDString": "curiosair","offset": -250405407,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "onecat","Highlights": ["somebodyfact"],"MatchedTimestamp": 1686889114000,"RuleId": "yourmother","RuleName": "hercurrency","RuleTopic": "thankfulmovement","RulePriority": "itsunshine","ItemId": "hisproblem","ItemType": "SCRAPPY","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "hugecloud","offset": -1900702738,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "howbattery","MobileDetectionId": 343032952,"ComputerName": "whoseplace","UserName": "ourmovement","ContextTimeStamp": 1649061056,"DetectId": "wholefact","DetectName": "everyonethought","DetectDescription": "basket house sedge kindness dynasty goal heap forest earrings success week bevy hour team cloud butter harvest choir blender whichchoir","Tactic": "Parisiancup","TacticId": "heretime","Technique": "mybattery","TechniqueId": "kindawareness","Objective": "Greekcousin","Severity": 93,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/auspiciousspeed?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "whycongregation","AndroidAppLabel": "troublingquiver","DexFileHashes": "nonecar","ImageFileName": "wherepod","AppInstallerInformation": "ithair","IsBeingDebugged": true,"AndroidAppVersionName": "fewfreedom","IsContainerized": false}]}} +{"metadata": {"customerIDString": "Victoriandeskpath","offset": -1376595275,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "Thaipeace","DetectName": "allcare","DetectDescription": "hercare","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/everybodyhead?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 9,"SeverityName": "Low","Tactic": "South Americanfashion","Technique": "Canadianstaff","Objective": "anythingeye","SourceAccountDomain": "outrageousmeal","SourceAccountName": "wherefreedom","SourceAccountObjectSid": "itsstack","SourceEndpointAccountObjectGuid": "Barcelonianparty","SourceEndpointAccountObjectSid": "allwoman","SourceEndpointHostName": "itscomb","SourceEndpointIpAddress": "69.74.170.53","SourceEndpointSensorId": "hischild","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "disturbedtruth","PatternId": 326683896}} +{"metadata": {"customerIDString": "hundredcandy","offset": -1101002719,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 2080761357,"ProcessEndTime": 2043850267,"ProcessId": 1031101204,"ParentProcessId": -287603910,"ComputerName": "ourcare","UserName": "blackworld","DetectName": "howbundle","DetectDescription": "way peacock problem book company person innocence child year generation problem body crowd wolf belief park hail bravery bravery wisp thing severalhost","Severity": 0,"SeverityName": "Medium","FileName": "everygovernment","FilePath": "Guyanesehail\\everygovernment","CommandLine": "C:\\Windows\\theirregiment","SHA256String": "numerousunemployment","MD5String": "theirreel","SHA1String": "Congolesemotherhood","MachineDomain": "heavydata","NetworkAccesses": [{"AccessType": 1739056061,"AccessTimestamp": 1751371565,"Protocol": "Romaniancloud","LocalAddress": "156.91.133.60","LocalPort": 74704,"RemoteAddress": "245.107.190.208","RemotePort": 76848,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/sparsething?_cid=xxxxxxx","SensorId": "poisedpod","IOCType": "filename","IOCValue": "everyoneboard","DetectId": "itbale","LocalIP": "146.228.219.35","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "someonepoint","Technique": "whatbag","Objective": "ourgovernment","PatternDispositionDescription": "building scissors grandmother keyboard fiction mustering scold cackle tissue crowd guilt trust dream heap plant snow host movement wad cluster friendship mostbook","PatternDispositionValue": 924678192,"PatternDispositionFlags": {"Indicator": false,"Detect": true,"InddetMask": false,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": false,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "severalthing","ParentCommandLine": "calmscold","GrandparentImageFileName": "joyouspart","GrandparentCommandLine": "whypatrol","HostGroups": "cheerfulmusic","AssociatedFile": "Machiavellianbunch","PatternId": 125137225}} +{"metadata": {"customerIDString": "mychest","offset": 1153946996,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -1117047632,"ProcessEndTime": -2004420101,"ProcessId": 1532328976,"ParentProcessId": 1360968630,"ComputerName": "yourperson","UserName": "hugepod","DetectName": "longegg","DetectDescription": "mustering irritation brace batch smoke thing forest scold point wisp flower company child therestand","Severity": 2,"SeverityName": "Informational","FileName": "adorableschool","FilePath": "whatpage\\adorableschool","CommandLine": "C:\\Windows\\emptygame","SHA256String": "anythingalligator","MD5String": "greatline","SHA1String": "manyclub","MachineDomain": "yourmuster","NetworkAccesses": [{"AccessType": -1771015515,"AccessTimestamp": 1751371565,"Protocol": "Torontonianbunch","LocalAddress": "15.152.75.17","LocalPort": 87884,"RemoteAddress": "233.86.11.42","RemotePort": 9785,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thankfularchitect?_cid=xxxxxxx","SensorId": "amusedline","IOCType": "behavior","IOCValue": "thatparty","DetectId": "hundredsflock","LocalIP": "120.106.149.190","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "everythingvillage","Technique": "alllondon","Objective": "Congoleseflock","PatternDispositionDescription": "posse chaise longue clarity happiness member garage width covey hail flock energy day class weather mercy hand herestack","PatternDispositionValue": 2009879131,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "Finnishchest","ParentCommandLine": "theircompany","GrandparentImageFileName": "theirrubbish","GrandparentCommandLine": "Cambodiangrade","HostGroups": "itsgain","AssociatedFile": "mything","PatternId": 684192837}} +{"metadata": {"customerIDString": "howtime","offset": -989900221,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "hishorde","Region": "us-east-1","ResourceId": "manypopcorn","ResourceIdType": "manysheaf","ResourceName": "nobodyarmy","ResourceCreateTime": 0,"PolicyStatement": "whereskyscraper","PolicyId": 1282256644,"Severity": 78,"SeverityName": "Medium","CloudPlatform": "queercackle","CloudService": "theseloss","Disposition": "Passed","ResourceUrl": "quaintfield","Finding": "ourbevy","Tags": [{"Key": "wanderingmovement","ValueString": "eitherxylophone"}],"ReportUrl": "a lotpatience","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "whosewaist","offset": -306081915,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "theirquality","IncidentDescription": "set class shopping divorce housework troop itsunglasses","Severity": 92,"SeverityName": "Informational","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "mytroupe","UserName": "thatlife","EndpointName": "anystand","EndpointIp": "228.59.116.79","Category": "Detections","NumbersOfAlerts": 1001476486,"NumberOfCompromisedEntities": -1478636482,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/yourbody?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "neithersunshine","offset": -1019875160,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -1281081394,"ProcessEndTime": -1455065204,"ProcessId": -592541064,"ParentProcessId": 980825791,"ComputerName": "therejealousy","UserName": "Barbadianproblem","DetectName": "whycomfort","DetectDescription": "host school year stand number pack batch jumper account heavyhouse","Severity": 0,"SeverityName": "Low","FileName": "tastywalk","FilePath": "yourstupidity\\tastywalk","CommandLine": "C:\\Windows\\whosemob","SHA256String": "theirmuster","MD5String": "whytable","SHA1String": "Germandata","MachineDomain": "herechest","NetworkAccesses": [{"AccessType": 44794767,"AccessTimestamp": 1751371565,"Protocol": "Gaboneseperson","LocalAddress": "77.89.124.80","LocalPort": 24688,"RemoteAddress": "101.61.89.28","RemotePort": 9914,"ConnectionDirection": 0,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Cypriotarchipelago?_cid=xxxxxxx","SensorId": "Aristotelianreel","IOCType": "filename","IOCValue": "thoseboxers","DetectId": "herecrew","LocalIP": "30.9.43.137","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "thatcompany","Technique": "ourcaravan","Objective": "whichfilm","PatternDispositionDescription": "year troupe deceit oxygen speed bale stand group seed year chest dollar cast fire neck team leap bill mercy hundredssheaf","PatternDispositionValue": 956284619,"PatternDispositionFlags": {"Indicator": false,"Detect": true,"InddetMask": true,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": false},"ParentImageFileName": "heresedge","ParentCommandLine": "whosetelevision","GrandparentImageFileName": "Peruvianwisp","GrandparentCommandLine": "zealousbale","HostGroups": "hismustering","AssociatedFile": "Newtonianreligion","PatternId": -700622379}} +{"metadata": {"customerIDString": "theirbikini","offset": -1111500739,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "magnificentcongregation","PolicyId": -1465293206,"PolicyStatement": "charmingoutfit","CloudProvider": "over therehouse","CloudService": "sleepypool","Severity": 32,"SeverityName": "Critical","EventAction": "clevereye","EventSource": "whichboard","EventCreatedTimestamp": 1663011160,"UserId": "Torontonianadult","UserName": "delightfulfire","UserSourceIp": "102.41.173.166","Tactic": "whosegoodness","Technique": "therestairs"}} +{"metadata": {"customerIDString": "anyonebusiness","offset": 2043833068,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "confusingpart","CustomerId": "whybunch","Ipv": "10.131.98.140","CommandLine": "whosebird","ConnectionDirection": "0","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": true,"Log": true,"Monitor": true},"HostName": "anyliterature","ICMPCode": "a lotpack","ICMPType": "yourdelay","ImageFileName": "somehand","LocalAddress": "42.108.60.165","LocalPort": "40762","MatchCount": -1267405658,"MatchCountSinceLastReport": -477792013,"NetworkProfile": "fullstaff","PID": "-574200502","PolicyName": "Bangladeshieye","PolicyID": "theirloss","Protocol": "somebodyposse","RemoteAddress": "11.94.83.114","RemotePort": "13053","RuleAction": "someplace","RuleDescription": "hand murder care brilliance table project battery whosedolphin","RuleFamilyID": "Caesarianpatrol","RuleGroupName": "Philippinewad","RuleName": "myposse","RuleId": "everythingcluster","Status": "sufficientsparrow","Timestamp": 1751371830,"TreeID": "therewall"}} +{"metadata": {"customerIDString": "Mexicancollection","offset": 1365601881,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "ourtribe","HostnameField": "quainttroop","UserName": "someonetomato","StartTimestamp": 1582830734,"AgentIdString": "theirbunch"}} +{"metadata": {"customerIDString": "hungryhonesty","offset": 1446823700,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "yourcatalog","HostnameField": "everybodystack","UserName": "sufficientcaravan","StartTimestamp": 1582830734,"AgentIdString": "whyarchipelago"}} +{"metadata": {"customerIDString": "Lincolniancrew","offset": 1522679423,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "splendidcard","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\manyback","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "park calm generosity bale case cackle brace covey battery dress animal cleverness traffic brace data Welshhail","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/ourmob?_cid=xxxxxxx","FileName": "hishand","FilePath": "Laotianbody\\hishand","FilesAccessed": [{"FileName": "hishand","FilePath": "Laotianbody\\hishand","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "hishand","FilePath": "Laotianbody\\hishand","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\Muscovitebunch","GrandParentImageFileName": "drabsalt","GrandParentImageFilePath": "Indonesianzebra\\drabsalt","HostGroups": "whereevidence","Hostname": "whybill","LocalIP": "79.170.98.85","LocalIPv6": "99.43.179.77","LogonDomain": "whypatrol","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "clearsmoke","Name": "whatquality","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1874254846,"ConnectionDirection": 2,"IsIPV6": true,"LocalAddress": "92.103.224.168","LocalPort": 12811,"Protocol": "thissheep","RemoteAddress": "23.193.198.213","RemotePort": 73819}],"Objective": "whyinfancy","ParentCommandLine": "C:\\Windows\\ourarmy\\whattalent","ParentImageFileName": "whattalent","ParentImageFilePath": "nonearmy\\whattalent","ParentProcessId": 227474881,"PatternDispositionDescription": "week crowd whyfrailty","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": true,"Indicator": true,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": true,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": 528851604,"PatternId": -1541050124,"PlatformId": "fancywound","PlatformName": "Windows","ProcessEndTime": 1580462124,"ProcessId": 1515113029,"ProcessStartTime": -970298463,"ReferrerUrl": "eitherunemployment","SHA1String": "someonebowl","SHA256String": "onedream","Severity": 22,"SeverityName": "Low","SourceProducts": "Parisianleap","SourceVendors": "thisgroup","Tactic": "everyoneadult","Technique": "whereblock","Type": "ldt","UserName": "foolishway"}} +{"metadata": {"customerIDString": "over theredream","offset": -963974833,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "itholiday","MobileDetectionId": 1124985272,"ComputerName": "allhorde","UserName": "everybodyarmy","ContextTimeStamp": 1649061056,"DetectId": "howstupidity","DetectName": "herwork","DetectDescription": "jealousy life band board crew cluster man way child stream eye murder quiver staff handsometoothbrush","Tactic": "somebodyforest","TacticId": "herpart","Technique": "anycast","TechniqueId": "noneparty","Objective": "successfulmuster","Severity": 30,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/eitherfact?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "South Americangroup","AndroidAppLabel": "whyaccount","DexFileHashes": "over theregame","ImageFileName": "numerousdetective","AppInstallerInformation": "thesemustering","IsBeingDebugged": false,"AndroidAppVersionName": "Lebanesechair","IsContainerized": false}]}} +{"metadata": {"customerIDString": "Greekdelay","offset": 19958052,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thesemember","UserIp": "141.134.209.232","OperationName": "revokeCustomerSubscriptions","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "somebodynutrition","ValueString": "anyedge"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "herehorror"}}} +{"metadata": {"customerIDString": "openmurder","offset": 541820293,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "modernloneliness","UserID": "Confuciancompany","ExecutionID": "lovelyluck","ReportID": "Lincolnianman","ReportName": "numerouschaise longue","ReportType": "Asianman","ReportFileReference": "gracefultroop","Status": "eachsmile","StatusMessage": "whichcaravan","ExecutionMetadata": {"ExecutionStart": 770732332,"ExecutionDuration": -2113676235,"ReportFileName": "toocup","ResultCount": 1175453278,"ResultID": "severalblock","SearchWindowStart": -1431559035,"SearchWindowEnd": -1692649681}}} +{"metadata": {"customerIDString": "hisgalaxy","offset": 1842444737,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "Americanbevy","DataDomains": "Cloud","Description": "laptop corner anyonefinger","DetectId": "someoneyouth","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "209.135.214.51","HostNames": "pinkbevy","Name": "mygossip","PatternId": -1427946641,"Severity": 6,"SourceProducts": "halfslippers","SourceVendors": "manyprofessor","StartTimeEpoch": 1643317697728000000,"TacticIds": "Turkmenshower","Tactics": "herebrace","TechniqueIds": "somecovey","Techniques": "ourslavery","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "thiscookware","offset": -1239893469,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "littlepatrol","DataDomains": "Cloud","Description": "packet comb company hand awareness exaltation bevy hamburger brace Barbadiancovey","DetectId": "over theregovernor","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "96.24.217.177","HostNames": "itsteam","Name": "everybodygiraffe","PatternId": -493591939,"Severity": 8,"SourceProducts": "fullline","SourceVendors": "anythingspot","StartTimeEpoch": 1643317697728000000,"TacticIds": "somejumper","Tactics": "herschool","TechniqueIds": "insufficienthouse","Techniques": "anyteacher","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "orangeclump","offset": 1119707825,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "substantialluck","MobileDetectionId": -1157741109,"ComputerName": "Polynesiantie","UserName": "myhousework","ContextTimeStamp": 1649061056,"DetectId": "everyharm","DetectName": "fewset","DetectDescription": "flower turkey solitude packet case stand everybodywork","Tactic": "famouswad","TacticId": "greatdynasty","Technique": "mymarriage","TechniqueId": "strangepoint","Objective": "sufficientfriendship","Severity": 47,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hergrowth?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "Burmesenoodles","AndroidAppLabel": "Barbadiandog","DexFileHashes": "theirankle","ImageFileName": "hisband","AppInstallerInformation": "neitherkindness","IsBeingDebugged": false,"AndroidAppVersionName": "whatscold","IsContainerized": false}]}} +{"metadata": {"customerIDString": "wherecrew","offset": 944470610,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "ourgovernment","UserIp": "168.140.161.33","OperationName": "requestResetPassword","ServiceName": "detections","AuditKeyValues": [{"Key": "herclarity","ValueString": "theircalm"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "thatdynasty"}}} +{"metadata": {"customerIDString": "yellowschool","offset": -1903727715,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "hishail","DetectName": "everythingfactory","DetectDescription": "number entertainment comfort pain congregation usage thateye","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whichhair?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 83,"SeverityName": "High","Tactic": "hundredfurniture","Technique": "over therechild","Objective": "mychildhood","SourceAccountDomain": "anydesk","SourceAccountName": "severalweek","SourceAccountObjectSid": "histribe","SourceEndpointAccountObjectGuid": "wheremurder","SourceEndpointAccountObjectSid": "thattunnel","SourceEndpointHostName": "somebodystreet","SourceEndpointIpAddress": "104.175.52.126","SourceEndpointSensorId": "hisperson","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "mostlife","PatternId": 360112821}} +{"metadata": {"customerIDString": "toughwork","offset": -287070609,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "herepatrol","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\nonechild","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Cloud","Description": "group cackle nest lamp chapter host mother orchard thatloss","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/helpfulfreedom?_cid=xxxxxxx","FileName": "somecoldness","FilePath": "whosepod\\somecoldness","FilesAccessed": [{"FileName": "somecoldness","FilePath": "whosepod\\somecoldness","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "somecoldness","FilePath": "whosepod\\somecoldness","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\thereclass","GrandParentImageFileName": "tensesnow","GrandParentImageFilePath": "Victorianbowl\\tensesnow","HostGroups": "helplessstaff","Hostname": "terribleartist","LocalIP": "230.168.4.90","LocalIPv6": "63.83.107.98","LogonDomain": "somesaxophone","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "Greekcackle","Name": "variedcity","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -300806198,"ConnectionDirection": 0,"IsIPV6": true,"LocalAddress": "12.235.39.157","LocalPort": 70559,"Protocol": "over therebus","RemoteAddress": "28.169.57.253","RemotePort": 83}],"Objective": "agreeablehail","ParentCommandLine": "C:\\Windows\\itsbag\\homelesshill","ParentImageFileName": "homelesshill","ParentImageFilePath": "plenty ofbrace\\homelesshill","ParentProcessId": -1064992908,"PatternDispositionDescription": "tennis dollar pollution man set friend line vision thisline","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": true,"KillActionFailed": true,"KillParent": true,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": true},"PatternDispositionValue": 1705387416,"PatternId": -1283889121,"PlatformId": "finearmy","PlatformName": "Linux","ProcessEndTime": 1356812483,"ProcessId": -961436773,"ProcessStartTime": 1766752750,"ReferrerUrl": "over therepride","SHA1String": "thislamb","SHA256String": "theremodel","Severity": 82,"SeverityName": "Medium","SourceProducts": "whereclarity","SourceVendors": "theredoor","Tactic": "wheredeceit","Technique": "wheremurder","Type": "ofp","UserName": "easypencil"}} +{"metadata": {"customerIDString": "Danishsmoke","offset": 379838381,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "howquiver","Region": "us-west-2","ResourceId": "over therecrew","ResourceIdType": "encouragingrespect","ResourceName": "whathedge","ResourceCreateTime": 0,"PolicyStatement": "eachnumber","PolicyId": 842027273,"Severity": 2,"SeverityName": "Informational","CloudPlatform": "whereapple","CloudService": "whichmethod","Disposition": "Passed","ResourceUrl": "heavilystack","Finding": "theircountry","Tags": [{"Key": "numerouscup","ValueString": "whoseworld"}],"ReportUrl": "whichband","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "thisboard","offset": -622221851,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "itsmurder","State": "closed","FineScore": 9.592546629752567,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "whycrime","HostID": "somegroup","LMHostIDs": ["hisdream"],"UserId": "hisman"}} +{"metadata": {"customerIDString": "thoseelegance","offset": 1753228333,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "confusingfact","UserIp": "76.50.69.239","OperationName": "grantUserRoles","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Middle Easterncouch","ValueString": "howstand"}],"Attributes": {"actor_cid": "yourstack","actor_user": "ouralbum","actor_user_uuid": "whatboard","app_id": "lightman","saml_assertion": "whichsnow","target_user": "manyegg","trace_id": "thatfashion"}}} +{"metadata": {"customerIDString": "Taiwanesestress","offset": -894626906,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "howquality","State": "open","FineScore": 9.422367116453389,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "whereaddress","HostID": "fulllife","LMHostIDs": ["wheremustering"],"UserId": "allcackle"}} +{"metadata": {"customerIDString": "everybodymedicine","offset": -1102540758,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "thankfulstaff","PolicyId": -1512746364,"PolicyStatement": "whatflock","CloudProvider": "yourlove","CloudService": "thatphilosophy","Severity": 14,"SeverityName": "Informational","EventAction": "eachregiment","EventSource": "Romanenvy","EventCreatedTimestamp": 1663011160,"UserId": "herlitter","UserName": "whatpack","UserSourceIp": "60.82.204.252","Tactic": "thisgarlic","Technique": "fulltroop"}} +{"metadata": {"customerIDString": "someyouth","offset": -2033259274,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "fewleap","DetectName": "whatmilk","DetectDescription": "mob heat weight music class mustering place elegance boy lawn tribe whycinema","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/everythinggroup?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 29,"SeverityName": "Critical","Tactic": "quaintschool","Technique": "anyfire","Objective": "wheregrade","SourceAccountDomain": "thosebevy","SourceAccountName": "importantarmy","SourceAccountObjectSid": "whatwisp","SourceEndpointAccountObjectGuid": "doublefact","SourceEndpointAccountObjectSid": "someonedynasty","SourceEndpointHostName": "thankfulregiment","SourceEndpointIpAddress": "83.236.99.131","SourceEndpointSensorId": "hispaper","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "itsheap","PatternId": 401598498}} +{"metadata": {"customerIDString": "singlegroup","offset": 457189614,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Atlanteanchair","UserIp": "90.7.226.232","OperationName": "twoFactorAuthenticate","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Mexicangenetics","ValueString": "manycrowd"}],"Attributes": {"actor_cid": "everythingpage","actor_user": "Shakespeareanliter","actor_user_uuid": "someonenest","app_id": "enough ofbulb","saml_assertion": "Guyanesecongregation","target_user": "therespoon","trace_id": "whereparty"}}} +{"metadata": {"customerIDString": "thatchest","offset": -83040473,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whichminute","Region": "us-west-2","ResourceId": "lemonycatalog","ResourceIdType": "whosesugar","ResourceName": "someboard","ResourceCreateTime": 0,"PolicyStatement": "hercalm","PolicyId": -1357156405,"Severity": 98,"SeverityName": "Critical","CloudPlatform": "upsetbelief","CloudService": "thesecard","Disposition": "Failed","ResourceUrl": "myboots","Finding": "sleepytransportation","Tags": [{"Key": "somegroup","ValueString": "Putinistarchipelago"}],"ReportUrl": "everyonelife","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "Asianbook","offset": -1347483999,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "Vietnameseclass","DataDomains": "Network","Description": "cash case exaltation regiment number labour whosework","DetectId": "over theremob","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "40.219.117.254","HostNames": "thatsedge","Name": "lightwolf","PatternId": -698872318,"Severity": 50,"SourceProducts": "yourgroup","SourceVendors": "fewcollege","StartTimeEpoch": 1643317697728000000,"TacticIds": "hercompany","Tactics": "herparty","TechniqueIds": "hispacket","Techniques": "onegroup","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "kindflock","offset": -302292875,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 451077962,"ProcessEndTime": 1553265477,"ProcessId": -1077533325,"ParentProcessId": -435178253,"ComputerName": "whatsorrow","UserName": "enoughinvention","DetectName": "whoseparty","DetectDescription": "team bra ream beauty mustering stairs sedge pair troop magic Lincolnianenergy","Severity": 2,"SeverityName": "Informational","FileName": "disgustingtroop","FilePath": "nobodynest\\disgustingtroop","CommandLine": "C:\\Windows\\hercooker","SHA256String": "lightworld","MD5String": "anygroup","SHA1String": "wherepound","MachineDomain": "theremachine","NetworkAccesses": [{"AccessType": 1612708288,"AccessTimestamp": 1751371565,"Protocol": "heresedge","LocalAddress": "125.50.133.172","LocalPort": 48347,"RemoteAddress": "234.221.131.4","RemotePort": 67690,"ConnectionDirection": 0,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/theirday?_cid=xxxxxxx","SensorId": "severalsilence","IOCType": "command_line","IOCValue": "thatpart","DetectId": "Peruviannewspaper","LocalIP": "54.205.111.170","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "enthusiasticbrilliance","Technique": "angryeye","Objective": "lots ofdetermination","PatternDispositionDescription": "mob bevy choir team club over thereyouth","PatternDispositionValue": 1285889820,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": false,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "thisstack","ParentCommandLine": "youngcompany","GrandparentImageFileName": "Japaneseparty","GrandparentCommandLine": "anyproduct","HostGroups": "whypart","AssociatedFile": "hereteam","PatternId": -659788280}} +{"metadata": {"customerIDString": "everyoneclass","offset": -213834920,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "thathorde","CustomerId": "itscat","Ipv": "103.246.185.64","CommandLine": "Malagasyhand","ConnectionDirection": "0","EventType": "FirewallRuleIP6Matched","Flags": {"Audit": false,"Log": true,"Monitor": false},"HostName": "eachfiction","ICMPCode": "yourstand","ICMPType": "Romaniancase","ImageFileName": "Koreanmicroscope","LocalAddress": "22.146.39.132","LocalPort": "67700","MatchCount": -508454298,"MatchCountSinceLastReport": -312004399,"NetworkProfile": "whichlife","PID": "-919470743","PolicyName": "thesecompany","PolicyID": "itpleasure","Protocol": "anyonebody","RemoteAddress": "94.122.29.16","RemotePort": "81503","RuleAction": "Kazakhsocks","RuleDescription": "class government number catalog bowl trust place sleep sorrow troop pod pound bitterness man orchard corruption innocence congregation number nest trip attractivephilosophy","RuleFamilyID": "sufficientwork","RuleGroupName": "whichteam","RuleName": "yourcandy","RuleId": "whatweather","Status": "notiming","Timestamp": 1751371830,"TreeID": "Indonesianhorde"}} +{"metadata": {"customerIDString": "Englishstack","offset": -775443396,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "Newtonianwaist","State": "open","FineScore": 3.177785166715833,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "Germanmilk","HostID": "gracefulband","LMHostIDs": ["outstandingjuicer"],"UserId": "hereapartment"}} +{"metadata": {"customerIDString": "thosenose","offset": 1354823612,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "anytrip","UserIp": "236.153.26.40","OperationName": "selfAcceptEula","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "whosekilometer","ValueString": "yourhail"}],"Attributes": {"actor_cid": "realisticream","actor_user": "a littletravel","actor_user_uuid": "Congolesehail","app_id": "thoseplace","saml_assertion": "enviouspod","target_user": "tenseanimal","trace_id": "Bismarckianphysician"}}} +{"metadata": {"customerIDString": "theseheat","offset": 682319047,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "precioustax","State": "closed","FineScore": 1.5815182043193163,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "whichblock","HostID": "kindmonth","LMHostIDs": ["yourdynasty"],"UserId": "gloriousbread"}} +{"metadata": {"customerIDString": "fullstaff","offset": -920849482,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "agreeablesafety","Highlights": ["whattrench coat"],"MatchedTimestamp": 1686889114000,"RuleId": "herplant","RuleName": "allforest","RuleTopic": "severalcovey","RulePriority": "oddkindness","ItemId": "whathouse","ItemType": "CS","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "theredress","offset": -1395234477,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "puzzledcar","IncidentDescription": "brilliance muster sand time person forest cousin choir magic bill problem hand gun world wad regiment scold aircraft life turkey happypleasure","Severity": 96,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Italiangrowth","UserName": "wittystreet","EndpointName": "whatcast","EndpointIp": "128.91.6.97","Category": "Detections","NumbersOfAlerts": 1245327959,"NumberOfCompromisedEntities": 111189281,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anyway?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "whichstring","offset": -1230847851,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Burkinesecash","Region": "us-west-2","ResourceId": "yourelegance","ResourceIdType": "greatbunch","ResourceName": "energeticchild","ResourceCreateTime": 0,"PolicyStatement": "anyball","PolicyId": 390863095,"Severity": 84,"SeverityName": "Informational","CloudPlatform": "comfortablestupidity","CloudService": "Russianpack","Disposition": "Passed","ResourceUrl": "itsfailure","Finding": "thatbale","Tags": [{"Key": "muddybaby","ValueString": "toomoonlight"}],"ReportUrl": "herecrest","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "whatcard","offset": -365279171,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1651264407,"ProcessEndTime": 1505862329,"ProcessId": 1321630708,"ParentProcessId": 1017992042,"ComputerName": "theirears","UserName": "yourstreet","DetectName": "over therecompany","DetectDescription": "body cast riches man joy case article pain pair wisdom hand time horde holiday class everyonegroup","Severity": 5,"SeverityName": "High","FileName": "a little bitdriver","FilePath": "spottedrange\\a little bitdriver","CommandLine": "C:\\Windows\\yourfame","SHA256String": "nobodytroop","MD5String": "hugething","SHA1String": "Guyaneseman","MachineDomain": "everythingvilla","NetworkAccesses": [{"AccessType": -708407607,"AccessTimestamp": 1751371565,"Protocol": "whatchoir","LocalAddress": "219.20.115.119","LocalPort": 19584,"RemoteAddress": "0.153.174.27","RemotePort": 50301,"ConnectionDirection": 0,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/supergrowth?_cid=xxxxxxx","SensorId": "wheredog","IOCType": "registry_key","IOCValue": "anythingcackle","DetectId": "theirwoman","LocalIP": "16.136.203.173","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "everythingwalk","Technique": "hishost","Objective": "abundantstadium","PatternDispositionDescription": "pack cloud lips tail lack poverty team eye person problem spoon office guest party leap party quantity thatbread","PatternDispositionValue": -1079078772,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": true,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "nervouskoala","ParentCommandLine": "itplace","GrandparentImageFileName": "herwall","GrandparentCommandLine": "annoyingalbum","HostGroups": "itblazer","AssociatedFile": "Welshmob","PatternId": -629830209}} +{"metadata": {"customerIDString": "Congolesecast","offset": -995742918,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "singleforest","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\whosewood","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "foot gold problem child chair part economics kangaroo point sand point engine thereherbs","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thereelection?_cid=xxxxxxx","FileName": "sufficientwisp","FilePath": "thismarriage\\sufficientwisp","FilesAccessed": [{"FileName": "sufficientwisp","FilePath": "thismarriage\\sufficientwisp","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "sufficientwisp","FilePath": "thismarriage\\sufficientwisp","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\whatbasket","GrandParentImageFileName": "emptycase","GrandParentImageFilePath": "eachgroup\\emptycase","HostGroups": "gorgeousalbum","Hostname": "whyworld","LocalIP": "95.44.87.130","LocalIPv6": "239.244.185.158","LogonDomain": "wherelawyer","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "itsowl","Name": "lots ofsedge","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1089440136,"ConnectionDirection": 0,"IsIPV6": false,"LocalAddress": "244.38.205.206","LocalPort": 49082,"Protocol": "Burkinesehorse","RemoteAddress": "74.121.25.62","RemotePort": 10653}],"Objective": "anythinghat","ParentCommandLine": "C:\\Windows\\strangefilm\\Kazakhchoir","ParentImageFileName": "Kazakhchoir","ParentImageFilePath": "somebodyfiction\\Kazakhchoir","ParentProcessId": -434386359,"PatternDispositionDescription": "fact caravan crowd class year heart religion book jaw wad staff week hand Tibetanuncle","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": true,"KillActionFailed": true,"KillParent": true,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": false,"Rooting": true,"SensorOnly": true,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": -803513788,"PatternId": -387791910,"PlatformId": "myfrailty","PlatformName": "Windows","ProcessEndTime": 449528859,"ProcessId": 110124735,"ProcessStartTime": -1407753202,"ReferrerUrl": "Honduranconfusion","SHA1String": "whichcompany","SHA256String": "thatregiment","Severity": 99,"SeverityName": "Critical","SourceProducts": "lazychild","SourceVendors": "muchhorror","Tactic": "uptightwoman","Technique": "heresedge","Type": "ldt","UserName": "ashamedthrill"}} +{"metadata": {"customerIDString": "difficultvalley","offset": 2101272754,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "severalpool","CustomerId": "hisgang","Ipv": "189.147.225.84","CommandLine": "blackocean","ConnectionDirection": "2","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": true,"Log": false,"Monitor": true},"HostName": "Aristotelianmob","ICMPCode": "hereworld","ICMPType": "allmob","ImageFileName": "allbale","LocalAddress": "13.4.44.115","LocalPort": "25613","MatchCount": -1598198376,"MatchCountSinceLastReport": 641894820,"NetworkProfile": "unusualgrapes","PID": "223516280","PolicyName": "somepig","PolicyID": "yourgrandmother","Protocol": "somecluster","RemoteAddress": "251.233.178.116","RemotePort": "1144","RuleAction": "halfcontent","RuleDescription": "vase physician troupe point anthology truck time garage kettle thrill luck book company paper week tolerance everybodywater","RuleFamilyID": "whosekangaroo","RuleGroupName": "Romanchild","RuleName": "substantialmagic","RuleId": "Sammarineseeye","Status": "therethought","Timestamp": 1751371830,"TreeID": "somebodyschool"}} +{"metadata": {"customerIDString": "onefoot","offset": 1731062168,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "herecalm","CustomerId": "whosereligion","Ipv": "128.116.89.207","CommandLine": "everyonedivorce","ConnectionDirection": "2","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": false},"HostName": "itslemon","ICMPCode": "anybundle","ICMPType": "manylung","ImageFileName": "littlerabbit","LocalAddress": "252.110.60.206","LocalPort": "37774","MatchCount": 899007412,"MatchCountSinceLastReport": -1204268395,"NetworkProfile": "Koreanway","PID": "744586950","PolicyName": "nonesugar","PolicyID": "Victorianfox","Protocol": "uptightscold","RemoteAddress": "79.225.9.41","RemotePort": "88811","RuleAction": "howman","RuleDescription": "clarity mustering task engine posse stack gas station congregation stairs covey woman host range galaxy gang army thing yourrestaurant","RuleFamilyID": "uglywork","RuleGroupName": "repellingteam","RuleName": "a little bitleap","RuleId": "fewgeneration","Status": "wholeslavery","Timestamp": 1751371830,"TreeID": "finecaravan"}} +{"metadata": {"customerIDString": "thoughtfulcompany","offset": -1919265590,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "theirdolphin","UserID": "Finnishregiment","ExecutionID": "Laotiancast","ReportID": "theirbread","ReportName": "over thereart","ReportType": "thatengine","ReportFileReference": "Frenchhorse","Status": "itday","StatusMessage": "whosesedge","ExecutionMetadata": {"ExecutionStart": -916885740,"ExecutionDuration": 1326168034,"ReportFileName": "hisglasses","ResultCount": 864471789,"ResultID": "Middle Easternrhythm","SearchWindowStart": 2133009784,"SearchWindowEnd": 1995106451}}} +{"metadata": {"customerIDString": "whatclump","offset": 1831488623,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whytown","Region": "us-east-1","ResourceId": "yourholiday","ResourceIdType": "herewelfare","ResourceName": "histroupe","ResourceCreateTime": 0,"PolicyStatement": "thistruth","PolicyId": -1908197964,"Severity": 14,"SeverityName": "Informational","CloudPlatform": "thankfulwit","CloudService": "yourcompany","Disposition": "Failed","ResourceUrl": "crowdedpouch","Finding": "whosequiver","Tags": [{"Key": "a little bitbottle","ValueString": "itswoman"}],"ReportUrl": "whatcomb","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "everynap","offset": 757485648,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "redlighter","DataDomains": "Cloud","Description": "shower enoughbrass","DetectId": "grievingtroupe","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "176.232.137.88","HostNames": "manyposse","Name": "eachperson","PatternId": 127645950,"Severity": 42,"SourceProducts": "dizzyingartist","SourceVendors": "somebodychoir","StartTimeEpoch": 1643317697728000000,"TacticIds": "eithergame","Tactics": "Egyptianvillage","TechniqueIds": "fewline","Techniques": "herharvest","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "yourson","offset": -1475686550,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Burkinesegold","UserIp": "82.104.176.236","OperationName": "updateUser","ServiceName": "detections","AuditKeyValues": [{"Key": "realistickindness","ValueString": "emptybatch"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "littlenurse"}}} +{"metadata": {"customerIDString": "confusingbunch","offset": 434583498,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "carefultent","UserIp": "104.15.74.170","OperationName": "userAuthenticate","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "sufficientpatrol","ValueString": "everybodydoor"}],"Attributes": {"actor_cid": "allwisp","actor_user": "homelessfreedom","actor_user_uuid": "clumsycase","app_id": "hundredsstairs","saml_assertion": "anythingstand","target_user": "lots ofdoor","trace_id": "allsedge"}}} +{"metadata": {"customerIDString": "myhair","offset": -1648174413,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "whypronunciation","State": "closed","FineScore": 5.177857128490845,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "theirsedge","HostID": "thisball","LMHostIDs": ["Californianleap"],"UserId": "halfgold"}} +{"metadata": {"customerIDString": "wherefact","offset": -720865589,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "hereexaltation","MobileDetectionId": -1982062954,"ComputerName": "whichgroup","UserName": "whateye","ContextTimeStamp": 1649061056,"DetectId": "theircorruption","DetectName": "howbale","DetectDescription": "sedge mirror television kilometer range a littlebed","Tactic": "Newtonianshopping","TacticId": "thesesnow","Technique": "itmile","TechniqueId": "whatscold","Objective": "whyclass","Severity": 8,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/somefork?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "ourperson","AndroidAppLabel": "whyman","DexFileHashes": "Guyanesecompany","ImageFileName": "thisshower","AppInstallerInformation": "whoseguest","IsBeingDebugged": true,"AndroidAppVersionName": "anyonestand","IsContainerized": false}]}} +{"metadata": {"customerIDString": "howbakery","offset": 1483297595,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "somemonkey","UserIp": "87.98.211.64","OperationName": "confirmResetPassword","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "thereluck","ValueString": "abundantdynasty"}],"Attributes": {"actor_cid": "herecollection","actor_user": "whosemotherhood","actor_user_uuid": "a littlewhale","app_id": "Mayanarmy","saml_assertion": "cuteparty","target_user": "itsleap","trace_id": "redpoint"}}} +{"metadata": {"customerIDString": "Romanclump","offset": -2038715325,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "helpfulchurch","HostnameField": "wherebundle","UserName": "yourpigeon","StartTimestamp": 1582830734,"AgentIdString": "franticyoga"}} +{"metadata": {"customerIDString": "myring","offset": 1367700305,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "fewtable","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\everyoneeducation","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Network","Description": "team failure library set wit air allcloud","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/therehail?_cid=xxxxxxx","FileName": "wherebrilliance","FilePath": "manywildlife\\wherebrilliance","FilesAccessed": [{"FileName": "wherebrilliance","FilePath": "manywildlife\\wherebrilliance","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "wherebrilliance","FilePath": "manywildlife\\wherebrilliance","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\wholeyear","GrandParentImageFileName": "wherepasta","GrandParentImageFilePath": "thereapartment\\wherepasta","HostGroups": "yournest","Hostname": "herbale","LocalIP": "12.115.224.47","LocalIPv6": "177.2.110.77","LogonDomain": "hisgain","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "nobodypoverty","Name": "whatbrace","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -280407180,"ConnectionDirection": 2,"IsIPV6": true,"LocalAddress": "225.204.92.130","LocalPort": 39481,"Protocol": "plaintea","RemoteAddress": "149.103.11.179","RemotePort": 80181}],"Objective": "thiskindness","ParentCommandLine": "C:\\Windows\\hereharm\\theircast","ParentImageFileName": "theircast","ParentImageFilePath": "relievedharvest\\theircast","ParentProcessId": 950210920,"PatternDispositionDescription": "litter life exaltation clump world bravery archipelago help dynasty staff importance anthology fan team calm information herbs stress woman wherenest","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": false,"KillActionFailed": true,"KillParent": true,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": true,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": 931409291,"PatternId": -1833169404,"PlatformId": "Icelandictroupe","PlatformName": "Mac","ProcessEndTime": 508081790,"ProcessId": -1609210457,"ProcessStartTime": -825204379,"ReferrerUrl": "over therecluster","SHA1String": "everybodyexaltation","SHA256String": "uptightstand","Severity": 50,"SeverityName": "Informational","SourceProducts": "nonepacket","SourceVendors": "halfbrace","Tactic": "anythinghost","Technique": "whyclass","Type": "ldt","UserName": "friendlygift"}} +{"metadata": {"customerIDString": "herework","offset": -219552527,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "everybodysoftware","UserID": "fulleye","ExecutionID": "thispatience","ReportID": "variedharvest","ReportName": "hisday","ReportType": "noneweekend","ReportFileReference": "itregiment","Status": "unusualweather","StatusMessage": "anyroom (space)","ExecutionMetadata": {"ExecutionStart": -1617323351,"ExecutionDuration": 978610360,"ReportFileName": "whatbook","ResultCount": 647481392,"ResultID": "gloriousmurder","SearchWindowStart": -877577983,"SearchWindowEnd": -1319125118}}} +{"metadata": {"customerIDString": "Middle Easternblouse","offset": -516793127,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "cleverenthusiasm","MobileDetectionId": -340747654,"ComputerName": "Peruvianfilm","UserName": "hugealbum","ContextTimeStamp": 1649061056,"DetectId": "thisair","DetectName": "muchworld","DetectDescription": "publicity time brace company cast money Indianplane","Tactic": "shybattery","TacticId": "difficultjustice","Technique": "Gabonesebouquet","TechniqueId": "Turkishjourney","Objective": "sparsethought","Severity": 86,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/theirtroupe?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "howgold","AndroidAppLabel": "wholeheap","DexFileHashes": "nobodyhappiness","ImageFileName": "itcloud","AppInstallerInformation": "enoughleisure","IsBeingDebugged": false,"AndroidAppVersionName": "thoseworld","IsContainerized": true}]}} +{"metadata": {"customerIDString": "whosecoldness","offset": 1081896456,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "shybatch","IncidentDescription": "loneliness marriage trip stupidity class party flock loneliness lots ofadvice","Severity": 92,"SeverityName": "Informational","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "severalclass","UserName": "whosecovey","EndpointName": "theirfilm","EndpointIp": "158.195.125.230","Category": "Incidents","NumbersOfAlerts": 585727349,"NumberOfCompromisedEntities": 1623353958,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thatcluster?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Kazakhriver","offset": 334368122,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "famousdetermination","IncidentDescription": "heavyflock","Severity": 40,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "herfruit","UserName": "onemuster","EndpointName": "Torontonianbrilliance","EndpointIp": "189.200.117.145","Category": "Incidents","NumbersOfAlerts": -437866633,"NumberOfCompromisedEntities": 742066646,"State": "DISMISS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Greekwisp?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "anyoneline","offset": -72770039,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "eachcarpet","UserIp": "138.18.252.207","OperationName": "selfAcceptEula","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "everyonehost","ValueString": "hisgold"}],"Attributes": {"actor_cid": "Sri-Lankanmilk","actor_user": "thisgrandmother","actor_user_uuid": "oddbrace","app_id": "Gaussianarmy","saml_assertion": "whosefailure","target_user": "thereturkey","trace_id": "someonedivorce"}}} +{"metadata": {"customerIDString": "emptylove","offset": 894515716,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "singlereel","Region": "us-west-1","ResourceId": "whichproblem","ResourceIdType": "Confuciantrain station","ResourceName": "helpfulgroup","ResourceCreateTime": 0,"PolicyStatement": "howteam","PolicyId": -509093213,"Severity": 63,"SeverityName": "Medium","CloudPlatform": "Madagascanpoint","CloudService": "Taiwanesehand","Disposition": "Failed","ResourceUrl": "whyyear","Finding": "whereoil","Tags": [{"Key": "whatchild","ValueString": "tiredpair"}],"ReportUrl": "grievingtree","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "thesepatrol","offset": 1360207044,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "plaingroup","CustomerId": "somebodygroup","Ipv": "66.20.151.157","CommandLine": "herebowl","ConnectionDirection": "1","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": true},"HostName": "alltrip","ICMPCode": "sufficientharvest","ICMPType": "Americancollege","ImageFileName": "importantcontent","LocalAddress": "229.210.85.178","LocalPort": "52332","MatchCount": 1393134792,"MatchCountSinceLastReport": 101557834,"NetworkProfile": "howgang","PID": "1288272938","PolicyName": "manygeneration","PolicyID": "howambulance","Protocol": "herream","RemoteAddress": "205.157.7.87","RemotePort": "65126","RuleAction": "itchildhood","RuleDescription": "cave reel film whichset","RuleFamilyID": "whysunglasses","RuleGroupName": "somesalt","RuleName": "Shakespeareanworld","RuleId": "mystack","Status": "someyear","Timestamp": 1751371830,"TreeID": "itsshoulder"}} +{"metadata": {"customerIDString": "thatsteak","offset": -1255646667,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "dangerousreligion","DetectName": "ourchest","DetectDescription": "currency work bevy knowledge choir howtrade","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/obnoxioussister?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 11,"SeverityName": "Low","Tactic": "myclump","Technique": "Thaibrace","Objective": "thatwealth","SourceAccountDomain": "anyphilosophy","SourceAccountName": "a littleguitar","SourceAccountObjectSid": "wherequantity","SourceEndpointAccountObjectGuid": "thosebody","SourceEndpointAccountObjectSid": "hisfuel","SourceEndpointHostName": "herresearch","SourceEndpointIpAddress": "184.204.146.196","SourceEndpointSensorId": "whichmob","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "mypack","PatternId": 1700953340}} +{"metadata": {"customerIDString": "whychoir","offset": -1547696080,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "thosedisregard","Highlights": ["inquiringshower"],"MatchedTimestamp": 1686889114000,"RuleId": "everyonepod","RuleName": "Canadianclass","RuleTopic": "thereclass","RulePriority": "Congolesegovernment","ItemId": "Peruvianjoy","ItemType": "BREACH_6G","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "realisticbitterness","offset": -495225738,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "therejuice","MobileDetectionId": -1541162559,"ComputerName": "wheretoothbrush","UserName": "Thaitroupe","ContextTimeStamp": 1649061056,"DetectId": "plenty ofstand","DetectName": "anythingcaravan","DetectDescription": "page welfare clump heap heat pair nest troop part hair sheaf product company way number person string wood team jersey child eye freezer someonefreedom","Tactic": "heregalaxy","TacticId": "fewpaper","Technique": "somesister","TechniqueId": "thosegang","Objective": "herrespect","Severity": 7,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/vastmurder?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "itparty","AndroidAppLabel": "Elizabethanmob","DexFileHashes": "hismall","ImageFileName": "Antarcticold age","AppInstallerInformation": "lots ofaccount","IsBeingDebugged": false,"AndroidAppVersionName": "whatsheaf","IsContainerized": false}]}} +{"metadata": {"customerIDString": "heretown","offset": -384081936,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "splendidbunch","UserIp": "27.238.143.166","OperationName": "updateUser","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "whatdeskpath","ValueString": "whichannoyance"}],"Attributes": {"actor_cid": "theirhealth","actor_user": "anythingdynasty","actor_user_uuid": "variedmob","app_id": "anyonelife","saml_assertion": "whosecackle","target_user": "howkoala","trace_id": "whichbale"}}} +{"metadata": {"customerIDString": "manyoutfit","offset": 1905963089,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "eachpeace","DataDomains": "Email","Description": "desk care hisbale","DetectId": "somemob","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "48.70.160.5","HostNames": "whosemouth","Name": "thesehoses","PatternId": 591567142,"Severity": 2,"SourceProducts": "eachteam","SourceVendors": "mychild","StartTimeEpoch": 1643317697728000000,"TacticIds": "theirpencil","Tactics": "over therecrew","TechniqueIds": "nobodyrange","Techniques": "allbevy","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "theseapartment","offset": 176461631,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "shycrew","UserIp": "53.0.135.20","OperationName": "updateUser","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "enough ofcrime","ValueString": "over thereluxury"}],"Attributes": {"actor_cid": "everybodytime","actor_user": "thishammer","actor_user_uuid": "greattea","app_id": "aliveexaltation","saml_assertion": "thishorror","target_user": "Sri-Lankanwisp","trace_id": "purpleman"}}} +{"metadata": {"customerIDString": "whyold age","offset": 316864808,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "numerousdishonesty","HostnameField": "over thereright","UserName": "yourstairs","StartTimestamp": 1582830734,"AgentIdString": "coupleedge"}} +{"metadata": {"customerIDString": "lovelyscale","offset": -627467081,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "everyonefact","UserIp": "121.60.59.78","OperationName": "revokeUserRoles","ServiceName": "detections","AuditKeyValues": [{"Key": "hundredgroup","ValueString": "theseday"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "grumpyheat"}}} +{"metadata": {"customerIDString": "couplescold","offset": 543949641,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "joyousriches","DetectName": "frailteam","DetectDescription": "work thing fleet way reel bank electricity bale hospitality thisseafood","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/luckyteam?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 10,"SeverityName": "High","Tactic": "therecrowd","Technique": "fewblender","Objective": "someonepride","SourceAccountDomain": "whichswimming pool","SourceAccountName": "over thereenvy","SourceAccountObjectSid": "greatbread","SourceEndpointAccountObjectGuid": "whereschool","SourceEndpointAccountObjectSid": "cleverpain","SourceEndpointHostName": "creepyhorde","SourceEndpointIpAddress": "136.36.92.210","SourceEndpointSensorId": "nonepacket","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "friendlyheart","PatternId": -443713424}} +{"metadata": {"customerIDString": "thereappetite","offset": 623154183,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "someonemustering","IncidentDescription": "wisp range muster problem grains beans pleasanttrip","Severity": 78,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "yourproblem","UserName": "hisgroup","EndpointName": "fewfashion","EndpointIp": "172.22.143.10","Category": "Incidents","NumbersOfAlerts": 1390974751,"NumberOfCompromisedEntities": -1069330858,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/crowdedwindow?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "puzzledgossip","offset": -361244643,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1334881571,"ProcessEndTime": 1592090652,"ProcessId": -3691523,"ParentProcessId": -487733610,"ComputerName": "onepod","UserName": "funnybread","DetectName": "tamechapter","DetectDescription": "bill student composer shop cast day physician gang belt deceit apro swimming pool year yourbrace","Severity": 1,"SeverityName": "Critical","FileName": "whydynasty","FilePath": "enviousjoy\\whydynasty","CommandLine": "C:\\Windows\\lightfork","SHA256String": "stormyforest","MD5String": "severalregiment","SHA1String": "anycompany","MachineDomain": "wholecast","NetworkAccesses": [{"AccessType": 1619339910,"AccessTimestamp": 1751371565,"Protocol": "hundredmustering","LocalAddress": "224.47.187.47","LocalPort": 78055,"RemoteAddress": "229.92.156.190","RemotePort": 45009,"ConnectionDirection": 0,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/itlaughter?_cid=xxxxxxx","SensorId": "everythingcash","IOCType": "registry_key","IOCValue": "blushingjustice","DetectId": "terriblechair","LocalIP": "19.90.220.75","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "mostbaby","Technique": "nonexylophone","Objective": "distincttroop","PatternDispositionDescription": "cast galaxy troupe murder hospital library anyoneinformation","PatternDispositionValue": 650470780,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": false,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "everybodydarkness","ParentCommandLine": "severalclarity","GrandparentImageFileName": "thismusic","GrandparentCommandLine": "thatgroup","HostGroups": "whatstand","AssociatedFile": "Turkishishthrill","PatternId": -1395883393}} +{"metadata": {"customerIDString": "whatcamp","offset": 463109765,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "tastydisregard","CustomerId": "nonefriendship","Ipv": "114.154.92.79","CommandLine": "thesepeace","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": true,"Monitor": true},"HostName": "Atlanteanscale","ICMPCode": "nonehatred","ICMPType": "thosetrend","ImageFileName": "whichcalm","LocalAddress": "137.152.165.251","LocalPort": "84787","MatchCount": -420311943,"MatchCountSinceLastReport": 1591016967,"NetworkProfile": "Costa Ricanscold","PID": "1684063285","PolicyName": "ourlife","PolicyID": "eachgrammar","Protocol": "Putinistlife","RemoteAddress": "174.197.33.250","RemotePort": "43235","RuleAction": "thosehand","RuleDescription": "group thiscompany","RuleFamilyID": "Caesarianhand","RuleGroupName": "thiscast","RuleName": "yourgroup","RuleId": "howair","Status": "distinctmuster","Timestamp": 1751371830,"TreeID": "enough ofarchipelago"}} +{"metadata": {"customerIDString": "sparseregiment","offset": 1805307211,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "nobodyknowledge","DataDomains": "Network","Description": "thing packet cravat furniture giraffe hedge horde packet gossip abundantway","DetectId": "wherebridge","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "100.108.176.150","HostNames": "severalappetite","Name": "everybodybus","PatternId": -977701303,"Severity": 12,"SourceProducts": "oneboard","SourceVendors": "helplessgroup","StartTimeEpoch": 1643317697728000000,"TacticIds": "itgroup","Tactics": "Mexicanpoverty","TechniqueIds": "herwork","Techniques": "Burkinesebale","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "tenderworld","offset": -1993693801,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "hertoothbrush","CustomerId": "greatpurse","Ipv": "17.207.201.185","CommandLine": "whyforest","ConnectionDirection": "2","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": false,"Log": true,"Monitor": true},"HostName": "Romancalm","ICMPCode": "yourshock","ICMPType": "quizzicalbrass","ImageFileName": "whereclothing","LocalAddress": "69.20.63.89","LocalPort": "40325","MatchCount": -311473488,"MatchCountSinceLastReport": -361100485,"NetworkProfile": "insufficientbrace","PID": "208161615","PolicyName": "Thatcheriteslippers","PolicyID": "whypatrol","Protocol": "mysteriouslove","RemoteAddress": "98.125.133.9","RemotePort": "40806","RuleAction": "yoursand","RuleDescription": "flock time bill goodness chest congregation hat governor travel tribe washing machine elegance luck pain harvest professor minute exaltation myseed","RuleFamilyID": "Pacificguilt","RuleGroupName": "embarrassedvillage","RuleName": "nobodychest","RuleId": "enthusiasticgrandmother","Status": "somebodyapartment","Timestamp": 1751371830,"TreeID": "innocentpride"}} +{"metadata": {"customerIDString": "Lincolniancloud","offset": 2137637684,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "ourfreedom","IncidentDescription": "electricity party Somaliproduction","Severity": 66,"SeverityName": "High","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "youroil","UserName": "anybouquet","EndpointName": "theirlips","EndpointIp": "77.81.24.146","Category": "Incidents","NumbersOfAlerts": -158330689,"NumberOfCompromisedEntities": -1941609754,"State": "AUTO_RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/gloriousclump?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "somecoffee","offset": 1026554108,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "thiscandle","UserID": "lots ofnumber","ExecutionID": "whatgovernment","ReportID": "severalshower","ReportName": "shinymob","ReportType": "yourcaravan","ReportFileReference": "everybodybunch","Status": "myhappiness","StatusMessage": "howbowl","ExecutionMetadata": {"ExecutionStart": 2027571411,"ExecutionDuration": 1732978182,"ReportFileName": "theseeye","ResultCount": 1245107465,"ResultID": "howenvy","SearchWindowStart": 1603607858,"SearchWindowEnd": -1760779445}}} +{"metadata": {"customerIDString": "Bahamianelegance","offset": -2019281872,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "howlibrary","PolicyId": -1331161268,"PolicyStatement": "abundantblock","CloudProvider": "foolishpack","CloudService": "eachmango","Severity": 10,"SeverityName": "High","EventAction": "Welshlawn","EventSource": "thatrainbow","EventCreatedTimestamp": 1663011160,"UserId": "whichability","UserName": "whatbale","UserSourceIp": "114.181.169.0","Tactic": "herstupidity","Technique": "myperson"}} +{"metadata": {"customerIDString": "theirbundle","offset": -94547868,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "whatreel","Highlights": ["itgalaxy"],"MatchedTimestamp": 1686889114000,"RuleId": "itstroop","RuleName": "over thereadvice","RuleTopic": "whererespect","RulePriority": "mytroop","ItemId": "hispunctuation","ItemType": "6G_EXTERNAL","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "nophotographer","offset": 1060218677,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "hundredsline","HostnameField": "Cypriotcast","UserName": "everyoneblock","StartTimestamp": 1582830734,"AgentIdString": "Canadianway"}} +{"metadata": {"customerIDString": "sillyseafood","offset": -1086457365,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "over therecast","PolicyId": 613464372,"PolicyStatement": "theresister","CloudProvider": "severalgame","CloudService": "anythingcase","Severity": 94,"SeverityName": "Low","EventAction": "eachchoir","EventSource": "allmuster","EventCreatedTimestamp": 1663011160,"UserId": "vastbasket","UserName": "whosethought","UserSourceIp": "19.230.199.32","Tactic": "whichchest","Technique": "whyoil"}} +{"metadata": {"customerIDString": "thisanswer","offset": 143346317,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "herteam","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\Beethoveniangrandmother","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Endpoint","Description": "bill computer travel milk day set work hand greatsleep","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anyonedolphin?_cid=xxxxxxx","FileName": "Putinistcaptain","FilePath": "eachbody\\Putinistcaptain","FilesAccessed": [{"FileName": "Putinistcaptain","FilePath": "eachbody\\Putinistcaptain","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "Putinistcaptain","FilePath": "eachbody\\Putinistcaptain","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\wherebrother","GrandParentImageFileName": "everybodyflock","GrandParentImageFilePath": "littleweek\\everybodyflock","HostGroups": "scarylife","Hostname": "talentedbevy","LocalIP": "236.6.109.9","LocalIPv6": "229.180.81.241","LogonDomain": "nobodyclass","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "whichnest","Name": "herbevy","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -554710589,"ConnectionDirection": 1,"IsIPV6": true,"LocalAddress": "1.139.97.90","LocalPort": 40012,"Protocol": "Ecuadorianmercy","RemoteAddress": "46.183.64.131","RemotePort": 74083}],"Objective": "yourhelp","ParentCommandLine": "C:\\Windows\\whoseimportance\\thatpair","ParentImageFileName": "thatpair","ParentImageFilePath": "distinctmurder\\thatpair","ParentProcessId": -1832873161,"PatternDispositionDescription": "luxury doctor range part shrimp theirsmile","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": true,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": false,"KillActionFailed": false,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": false,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": true,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": true},"PatternDispositionValue": 1412194306,"PatternId": 1936471643,"PlatformId": "mucharchipelago","PlatformName": "Mac","ProcessEndTime": 1724538403,"ProcessId": 702683689,"ProcessStartTime": 1164360404,"ReferrerUrl": "theirrain","SHA1String": "quizzicalpatrol","SHA256String": "Asiangroup","Severity": 63,"SeverityName": "Medium","SourceProducts": "Machiavellianyear","SourceVendors": "sorecrowd","Tactic": "over thereleap","Technique": "thatcardigan","Type": "ofp","UserName": "over theredentist"}} +{"metadata": {"customerIDString": "thismob","offset": -1135591888,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "ourthing","Region": "us-east-2","ResourceId": "emptyjoy","ResourceIdType": "enviouspride","ResourceName": "fewfailure","ResourceCreateTime": 0,"PolicyStatement": "Cambodianscold","PolicyId": -1106969094,"Severity": 54,"SeverityName": "Low","CloudPlatform": "bluemuster","CloudService": "heavilytraffic","Disposition": "Failed","ResourceUrl": "Turkishishdesktop","Finding": "lots ofresearch","Tags": [{"Key": "muchthought","ValueString": "oddpleasure"}],"ReportUrl": "enoughtowel","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "emptybevy","offset": 1881687581,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 873150530,"ProcessEndTime": 1068196828,"ProcessId": 428512325,"ParentProcessId": 1512278529,"ComputerName": "itsfrock","UserName": "onesandals","DetectName": "onedeskpath","DetectDescription": "troop chest knowledge exaltation woman oil reel pod water melon world failure ream meeting hail train station waist sedge hatred heavilypunctuation","Severity": 4,"SeverityName": "Low","FileName": "Gabonesecup","FilePath": "wearycleverness\\Gabonesecup","CommandLine": "C:\\Windows\\herepurse","SHA256String": "whichelegance","MD5String": "whycleverness","SHA1String": "wickedgroup","MachineDomain": "hersedge","NetworkAccesses": [{"AccessType": -945094986,"AccessTimestamp": 1751371565,"Protocol": "innocentperson","LocalAddress": "56.10.165.227","LocalPort": 83251,"RemoteAddress": "108.237.216.106","RemotePort": 76169,"ConnectionDirection": 0,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/handsomelibrary?_cid=xxxxxxx","SensorId": "blackworld","IOCType": "filename","IOCValue": "thisunion","DetectId": "Californiantribe","LocalIP": "127.230.75.80","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "Turkmenintelligence","Technique": "Victoriancash","Objective": "Elizabethandamage","PatternDispositionDescription": "tea childhood sugar flock importance brass bunch clump mustering weather chair danger world confusion bale elegance congregation fear wad body determination time plenty ofshower","PatternDispositionValue": -309856554,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": true,"Rooting": true,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "herflock","ParentCommandLine": "severalmob","GrandparentImageFileName": "Gabonesework","GrandparentCommandLine": "ithappiness","HostGroups": "Bahraineancheese","AssociatedFile": "handsomefork","PatternId": -67810910}} +{"metadata": {"customerIDString": "a littledress","offset": -1895714009,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Antarcticcase","Region": "us-west-2","ResourceId": "whoseyear","ResourceIdType": "Chinesemilk","ResourceName": "somebodytask","ResourceCreateTime": 0,"PolicyStatement": "hereairport","PolicyId": 535746907,"Severity": 100,"SeverityName": "Low","CloudPlatform": "everybodyhorse","CloudService": "whatstreet","Disposition": "Failed","ResourceUrl": "howline","Finding": "severalbevy","Tags": [{"Key": "whatpharmacist","ValueString": "yourfriendship"}],"ReportUrl": "thissnowman","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "pleasantpack","offset": -242479742,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "halfusage","PolicyId": 1518836599,"PolicyStatement": "wheretroupe","CloudProvider": "hispeace","CloudService": "yournumber","Severity": 99,"SeverityName": "Medium","EventAction": "successfulhand","EventSource": "herelawyer","EventCreatedTimestamp": 1663011160,"UserId": "over therechild","UserName": "anyeye","UserSourceIp": "173.212.243.84","Tactic": "thatsoup","Technique": "heavilyparty"}} +{"metadata": {"customerIDString": "Costa Ricanbasket","offset": -701009047,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "everythingwork","HostnameField": "stupidtroupe","UserName": "fewluxury","StartTimestamp": 1582830734,"AgentIdString": "everythingcackle"}} +{"metadata": {"customerIDString": "sufficientcompany","offset": -1724502797,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "theseyear","Highlights": ["Uzbekcackle"],"MatchedTimestamp": 1686889114000,"RuleId": "therecluster","RuleName": "illhorror","RuleTopic": "sufficientman","RulePriority": "so fewspaghetti","ItemId": "mytribe","ItemType": "6G","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "whosetroupe","offset": -295595764,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "itsstand","IncidentDescription": "sister stupidity trip fiction board exaltation dream pencil man parfume confusion theater flock smile staff caravan team party growth exaltation pod delay Diabolicalloneliness","Severity": 41,"SeverityName": "Informational","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "whatsmile","UserName": "over thereslavery","EndpointName": "manyrestaurant","EndpointIp": "96.60.203.83","Category": "Detections","NumbersOfAlerts": 1646546820,"NumberOfCompromisedEntities": -1689567587,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thisexaltation?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "onelaptop","offset": -173772921,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "gorgeousinnocence","Highlights": ["thatcooker"],"MatchedTimestamp": 1686889114000,"RuleId": "ourpod","RuleName": "thisedge","RuleTopic": "everybodybatch","RulePriority": "moderngovernment","ItemId": "fancypleasure","ItemType": "TYPOSQUATTING","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "Kazakhscold","offset": -24057922,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "Confuciantime","State": "closed","FineScore": 2.1490279167369963,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "brownmustering","HostID": "yourbowl","LMHostIDs": ["eachclarity"],"UserId": "Cambodianbear"}} +{"metadata": {"customerIDString": "yournest","offset": -1196410688,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "Swissclass","DetectName": "ourweather","DetectDescription": "solitude troop cackle litter disregard potato staff genetics anyonecrowd","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/ourmob?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 12,"SeverityName": "Informational","Tactic": "whatclass","Technique": "dangerousregiment","Objective": "eachbale","SourceAccountDomain": "Chineseweather","SourceAccountName": "enough ofexaltation","SourceAccountObjectSid": "yourcalm","SourceEndpointAccountObjectGuid": "everybodyman","SourceEndpointAccountObjectSid": "Asiancaravan","SourceEndpointHostName": "whoseposse","SourceEndpointIpAddress": "28.46.62.31","SourceEndpointSensorId": "hereleisure","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "thesemonkey","PatternId": -1330504039}} +{"metadata": {"customerIDString": "nobodyproblem","offset": -409318418,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "eithergroup","DetectName": "Sri-Lankanpack","DetectDescription": "reel xylophone waiter silence lawn king reel patrol water ability bag bikini mustering canoe tomatoes congregation manycatalog","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/toomuster?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 70,"SeverityName": "Low","Tactic": "sufficientchest","Technique": "ourvilla","Objective": "herekitchen","SourceAccountDomain": "itsfact","SourceAccountName": "thatriches","SourceAccountObjectSid": "allanger","SourceEndpointAccountObjectGuid": "Amazoniananswer","SourceEndpointAccountObjectSid": "whattree","SourceEndpointHostName": "myscold","SourceEndpointIpAddress": "243.191.118.101","SourceEndpointSensorId": "thosedamage","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "anycare","PatternId": 1498371416}} +{"metadata": {"customerIDString": "someoneorange","offset": 1360025336,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "whichbutter","State": "open","FineScore": 3.269068915450038,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "somebodyproblem","HostID": "howmovement","LMHostIDs": ["itsparty"],"UserId": "theretree"}} +{"metadata": {"customerIDString": "Putinistmuster","offset": -1421858061,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thatman","UserIp": "56.234.182.112","OperationName": "resetAuthSecret","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "drabedge","ValueString": "thisdynasty"}],"Attributes": {"actor_cid": "wheresafety","actor_user": "anythingcaravan","actor_user_uuid": "Torontonianpad","app_id": "longbody","saml_assertion": "wherecow","target_user": "fewcongregation","trace_id": "whosebook"}}} +{"metadata": {"customerIDString": "Brazilianlibrary","offset": -1775525651,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "hisarmy","Region": "us-west-1","ResourceId": "mybunch","ResourceIdType": "nobodyobesity","ResourceName": "manypod","ResourceCreateTime": 0,"PolicyStatement": "thosebevy","PolicyId": -1563531110,"Severity": 82,"SeverityName": "Critical","CloudPlatform": "Swissbaby","CloudService": "hismouth","Disposition": "Passed","ResourceUrl": "Alpinecard","Finding": "everyoneboard","Tags": [{"Key": "yourharvest","ValueString": "Hinduguitar"}],"ReportUrl": "enough ofpatience","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "whyarchipelago","offset": 1100361421,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "scarygarlic","PolicyId": -508337642,"PolicyStatement": "South Americangain","CloudProvider": "eachkitchen","CloudService": "wheregirl","Severity": 0,"SeverityName": "Informational","EventAction": "nobodyapartment","EventSource": "Japaneseparty","EventCreatedTimestamp": 1663011160,"UserId": "cleartable","UserName": "doublebravery","UserSourceIp": "79.186.227.6","Tactic": "whichpharmacist","Technique": "anythingheap"}} +{"metadata": {"customerIDString": "faithfulsedge","offset": -1153044861,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "Finnishgroup","Highlights": ["everythingcackle"],"MatchedTimestamp": 1686889114000,"RuleId": "anythingsafety","RuleName": "hungryyear","RuleTopic": "everybodyperson","RulePriority": "whichcase","ItemId": "theirfame","ItemType": "LEGACY_TI","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "howpod","offset": -337225967,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 2039293594,"ProcessEndTime": 78241824,"ProcessId": -1204934519,"ParentProcessId": -1189832669,"ComputerName": "cooperativesoup","UserName": "Senegalesegarden","DetectName": "cleverworld","DetectDescription": "ring movement omen plane dynasty murder genetics gun shrimp severalforest","Severity": 0,"SeverityName": "Critical","FileName": "eitherchest","FilePath": "wherereel\\eitherchest","CommandLine": "C:\\Windows\\yourflock","SHA256String": "so fewream","MD5String": "gracefulplace","SHA1String": "whosemob","MachineDomain": "a little bitcovey","NetworkAccesses": [{"AccessType": -2079586564,"AccessTimestamp": 1751371565,"Protocol": "wherecleverness","LocalAddress": "215.12.217.211","LocalPort": 17654,"RemoteAddress": "159.133.111.242","RemotePort": 43615,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/itsbale?_cid=xxxxxxx","SensorId": "whichhead","IOCType": "domain","IOCValue": "angrywheat","DetectId": "hisproduction","LocalIP": "145.186.39.187","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "itchyplan","Technique": "everybodymuster","Objective": "coupleriver","PatternDispositionDescription": "everyonetrust","PatternDispositionValue": -1306924973,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": true,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": false},"ParentImageFileName": "itscompany","ParentCommandLine": "Polynesiandynasty","GrandparentImageFileName": "cleanband","GrandparentCommandLine": "onebatch","HostGroups": "thatmonkey","AssociatedFile": "realistickindness","PatternId": 1976579535}} +{"metadata": {"customerIDString": "energeticmob","offset": 1498856336,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "finecrowd","Highlights": ["fewvilla"],"MatchedTimestamp": 1686889114000,"RuleId": "manytroop","RuleName": "theircase","RuleTopic": "doublecast","RulePriority": "mytea","ItemId": "howparty","ItemType": "6G_EXTERNAL","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "whatshower","offset": -423824685,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "thisream","CustomerId": "everybodyfleet","Ipv": "174.242.82.175","CommandLine": "theirtribe","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": false,"Monitor": false},"HostName": "mygame","ICMPCode": "yourcompany","ICMPType": "thatrefrigerator","ImageFileName": "Swaziproduct","LocalAddress": "97.197.65.46","LocalPort": "30205","MatchCount": -1614755702,"MatchCountSinceLastReport": 1290226754,"NetworkProfile": "whydarkness","PID": "-475541700","PolicyName": "whatneck","PolicyID": "nopart","Protocol": "nonestand","RemoteAddress": "140.20.221.162","RemotePort": "69013","RuleAction": "nobodyuncle","RuleDescription": "hand work cello school jewelry philosophy cigarette team zealousdisregard","RuleFamilyID": "cleargovernment","RuleGroupName": "cooperativeposse","RuleName": "anymagazine","RuleId": "eithertrousers","Status": "itrabbit","Timestamp": 1751371830,"TreeID": "hundredspot"}} +{"metadata": {"customerIDString": "Gaussianbundle","offset": -1609299796,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "onefrailty","IncidentDescription": "bale crowd production number case clump shower air party eye goal covey couch love thosehedge","Severity": 60,"SeverityName": "High","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "ouraircraft","UserName": "thesehealth","EndpointName": "plenty ofbody","EndpointIp": "68.77.236.181","Category": "Detections","NumbersOfAlerts": -1236398259,"NumberOfCompromisedEntities": -754867910,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anyoneidea?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "howroom","offset": 1622494791,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "muchdonkey","CustomerId": "severalclothing","Ipv": "227.251.4.204","CommandLine": "Indonesianregiment","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": true,"Monitor": false},"HostName": "itsemployment","ICMPCode": "manycovey","ICMPType": "whereanthology","ImageFileName": "Swazibox","LocalAddress": "1.133.86.146","LocalPort": "40133","MatchCount": -1141462530,"MatchCountSinceLastReport": 923730747,"NetworkProfile": "so fewcloud","PID": "1892271720","PolicyName": "littleleap","PolicyID": "mosttime","Protocol": "mygroup","RemoteAddress": "186.11.145.208","RemotePort": "33604","RuleAction": "Asianpack","RuleDescription": "holiday pollution mob sofa luxury captain regiment salt theresoap","RuleFamilyID": "ourgalaxy","RuleGroupName": "whereleap","RuleName": "Tibetancackle","RuleId": "wherewoman","Status": "theireye","Timestamp": 1751371830,"TreeID": "wherepack"}} +{"metadata": {"customerIDString": "theirroom","offset": -1623094126,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "thatarmy","DetectName": "herelove","DetectDescription": "pound hand spaghetti patience group stand body logic regiment ability problem enthusiasm posse exaltation fleet cleverness batch clump army staff body sheaf sparsepharmacy","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/lemonyband?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 70,"SeverityName": "Low","Tactic": "howcrib","Technique": "fancysnow","Objective": "Dutchstack","SourceAccountDomain": "grumpyhorde","SourceAccountName": "widebatch","SourceAccountObjectSid": "therebook","SourceEndpointAccountObjectGuid": "ourcaravan","SourceEndpointAccountObjectSid": "Philippinesecond","SourceEndpointHostName": "giftedpod","SourceEndpointIpAddress": "63.39.212.117","SourceEndpointSensorId": "confusingworld","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "scarylibrary","PatternId": -247280516}} +{"metadata": {"customerIDString": "hisquiver","offset": -1554087733,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "mygroup","PolicyId": 1880370031,"PolicyStatement": "therestraw","CloudProvider": "frailjuice","CloudService": "someonesocks","Severity": 86,"SeverityName": "Informational","EventAction": "dulllibrary","EventSource": "Bahraineanomen","EventCreatedTimestamp": 1663011160,"UserId": "herband","UserName": "whichchoker","UserSourceIp": "81.158.84.27","Tactic": "howbook","Technique": "heregroup"}} +{"metadata": {"customerIDString": "thoseschool","offset": 1293418415,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thatman","UserIp": "77.245.46.214","OperationName": "selfAcceptEula","ServiceName": "detections","AuditKeyValues": [{"Key": "mylight","ValueString": "thereday"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "whyteam"}}} +{"metadata": {"customerIDString": "thosething","offset": -163363404,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "onebed","UserIp": "168.23.53.99","OperationName": "activateUser","ServiceName": "detections","AuditKeyValues": [{"Key": "thoseclass","ValueString": "whichwork"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "littleline"}}} +{"metadata": {"customerIDString": "theirpoint","offset": 712655721,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "condemnedwad","HostnameField": "energeticspeed","UserName": "fewdynasty","StartTimestamp": 1582830734,"AgentIdString": "lots ofenvy"}} +{"metadata": {"customerIDString": "thiscaravan","offset": 696373221,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "hispack","UserID": "whatgovernment","ExecutionID": "thosebox","ReportID": "Africandynasty","ReportName": "notail","ReportType": "poortea","ReportFileReference": "whichpoverty","Status": "nonedream","StatusMessage": "wherenest","ExecutionMetadata": {"ExecutionStart": 862719019,"ExecutionDuration": -312456531,"ReportFileName": "hundredcurrency","ResultCount": 2037711995,"ResultID": "innocentworld","SearchWindowStart": 2002378724,"SearchWindowEnd": 886305071}}} +{"metadata": {"customerIDString": "fewgang","offset": 264264492,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Plutoniancoffee","PolicyId": -848441892,"PolicyStatement": "thistoothpaste","CloudProvider": "anyriches","CloudService": "nonepoint","Severity": 93,"SeverityName": "Medium","EventAction": "whylife","EventSource": "jealousleap","EventCreatedTimestamp": 1663011160,"UserId": "thishour","UserName": "whatoxygen","UserSourceIp": "141.244.35.219","Tactic": "Himalayanpatrol","Technique": "whosetrench coat"}} +{"metadata": {"customerIDString": "Mayantrip","offset": 372428075,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "myclarity","UserID": "thatchild","ExecutionID": "howpod","ReportID": "thiscollection","ReportName": "thesecast","ReportType": "Taiwaneseproject","ReportFileReference": "repellingproduction","Status": "somebodyjersey","StatusMessage": "whatcrew","ExecutionMetadata": {"ExecutionStart": -968874194,"ExecutionDuration": -1986236896,"ReportFileName": "Confucianright","ResultCount": -827841076,"ResultID": "yourtroop","SearchWindowStart": -399355642,"SearchWindowEnd": -411107273}}} +{"metadata": {"customerIDString": "whichlife","offset": -651006186,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "itscase","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\whichblender","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "host solitude pair back person mytiming","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hundredsgroup?_cid=xxxxxxx","FileName": "thosejuicer","FilePath": "Beethovenianelection\\thosejuicer","FilesAccessed": [{"FileName": "thosejuicer","FilePath": "Beethovenianelection\\thosejuicer","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "thosejuicer","FilePath": "Beethovenianelection\\thosejuicer","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\allthing","GrandParentImageFileName": "significantbale","GrandParentImageFilePath": "yourkangaroo\\significantbale","HostGroups": "everythingmurder","Hostname": "Brazilianmethod","LocalIP": "105.2.209.34","LocalIPv6": "180.201.206.109","LogonDomain": "Atlanticpack","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "numerousyear","Name": "insufficientproduct","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1854815222,"ConnectionDirection": 2,"IsIPV6": false,"LocalAddress": "29.28.201.90","LocalPort": 64866,"Protocol": "wherenap","RemoteAddress": "197.196.30.79","RemotePort": 57095}],"Objective": "somecatalog","ParentCommandLine": "C:\\Windows\\eithertroupe\\heavymustering","ParentImageFileName": "heavymustering","ParentImageFilePath": "sometheater\\heavymustering","ParentProcessId": 1544348969,"PatternDispositionDescription": "hostel pod goal refrigerator danger equipment safety dream school sedge part cackle mustering hair bill street company bale answer apartment theirwisp","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": true,"KillActionFailed": true,"KillParent": true,"KillProcess": true,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": true,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": -1815328339,"PatternId": 1901230339,"PlatformId": "theircare","PlatformName": "Mac","ProcessEndTime": 74838873,"ProcessId": 346232856,"ProcessStartTime": 665231140,"ReferrerUrl": "Alpinedisregard","SHA1String": "itway","SHA256String": "anygift","Severity": 39,"SeverityName": "High","SourceProducts": "whatcast","SourceVendors": "therearchipelago","Tactic": "anygroup","Technique": "fulltroop","Type": "ldt","UserName": "significantnecklace"}} +{"metadata": {"customerIDString": "herscold","offset": -232359573,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "mostparty","UserID": "Intelligentroad","ExecutionID": "someonebattery","ReportID": "comfortablefactory","ReportName": "singlechapter","ReportType": "nonechest","ReportFileReference": "oneinformation","Status": "over thereoil","StatusMessage": "itswisdom","ExecutionMetadata": {"ExecutionStart": -386107758,"ExecutionDuration": -487472309,"ReportFileName": "Bismarckianscold","ResultCount": -1005099107,"ResultID": "whatwrist","SearchWindowStart": 1183411956,"SearchWindowEnd": 564657326}}} +{"metadata": {"customerIDString": "theseevidence","offset": 1659127034,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "whatgeneration","CustomerId": "thatcare","Ipv": "147.243.60.212","CommandLine": "hundredsclass","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": true,"Monitor": true},"HostName": "nobodyshower","ICMPCode": "theseocean","ICMPType": "hugeream","ImageFileName": "whyelegance","LocalAddress": "101.155.223.92","LocalPort": "73825","MatchCount": -892950503,"MatchCountSinceLastReport": -360256119,"NetworkProfile": "whoseplant","PID": "-178846678","PolicyName": "thathandle","PolicyID": "Koreanpage","Protocol": "eacharchipelago","RemoteAddress": "232.232.18.172","RemotePort": "13070","RuleAction": "severalfather","RuleDescription": "river bulb ball mother mob lawyer severalthing","RuleFamilyID": "ourtowel","RuleGroupName": "helpfularmy","RuleName": "someonepacket","RuleId": "Torontonianposse","Status": "somechoir","Timestamp": 1751371830,"TreeID": "everyonebelief"}} +{"metadata": {"customerIDString": "Englishcompany","offset": -1340580103,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "Russiantoes","DetectName": "herebird","DetectDescription": "unemployment person man chaise longue board cigarette warmth care stack shirt salt cackle cast shirt imagination world mob divorce wealth stand whale a lotcrowd","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/variedposse?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 0,"SeverityName": "Low","Tactic": "littlecabinet","Technique": "yourpack","Objective": "a little bitegg","SourceAccountDomain": "hercompany","SourceAccountName": "excitingball","SourceAccountObjectSid": "whosemuster","SourceEndpointAccountObjectGuid": "allgroup","SourceEndpointAccountObjectSid": "anyevidence","SourceEndpointHostName": "Belgianboard","SourceEndpointIpAddress": "43.83.242.86","SourceEndpointSensorId": "a littlething","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "foolishteam","PatternId": -1824261729}} +{"metadata": {"customerIDString": "whymob","offset": 1116714742,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -513079484,"ProcessEndTime": -762341576,"ProcessId": 437581571,"ParentProcessId": -457652587,"ComputerName": "thissand","UserName": "cooperativemusician","DetectName": "Jungianunemployment","DetectDescription": "tolerance orchard product power team thatbale","Severity": 5,"SeverityName": "High","FileName": "emptydollar","FilePath": "whosepod\\emptydollar","CommandLine": "C:\\Windows\\therehat","SHA256String": "halfstack","MD5String": "myveterinarian","SHA1String": "whatcravat","MachineDomain": "whichknowledge","NetworkAccesses": [{"AccessType": 340400892,"AccessTimestamp": 1751371565,"Protocol": "finecloud","LocalAddress": "39.14.109.119","LocalPort": 13340,"RemoteAddress": "152.249.254.224","RemotePort": 36886,"ConnectionDirection": 0,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/scarypod?_cid=xxxxxxx","SensorId": "whichchild","IOCType": "hash_sha256","IOCValue": "wearywealth","DetectId": "manycity","LocalIP": "9.206.114.254","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "a little bitchild","Technique": "Welshdisregard","Objective": "grumpyequipment","PatternDispositionDescription": "skirt brace mustering time eye salt beauty muddypod","PatternDispositionValue": 1470298048,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": true,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": false},"ParentImageFileName": "Africancackle","ParentCommandLine": "cutestairs","GrandparentImageFileName": "alivecomfort","GrandparentCommandLine": "yourposse","HostGroups": "substantialemployment","AssociatedFile": "successfulbowl","PatternId": -1228625367}} +{"metadata": {"customerIDString": "Confucianpoint","offset": -2128929409,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "homelesspart","PolicyId": -1028354393,"PolicyStatement": "abundantsleep","CloudProvider": "everybodygroup","CloudService": "heavyhost","Severity": 7,"SeverityName": "Critical","EventAction": "anyquality","EventSource": "selfishhost","EventCreatedTimestamp": 1663011160,"UserId": "Viennesecash","UserName": "yourbunch","UserSourceIp": "92.203.240.122","Tactic": "anythingweight","Technique": "whosearmy"}} +{"metadata": {"customerIDString": "hisclass","offset": -845093918,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "joyousmustering","Region": "us-east-1","ResourceId": "numerouspack","ResourceIdType": "Guyanesevoice","ResourceName": "yourcluster","ResourceCreateTime": 0,"PolicyStatement": "nobodypatrol","PolicyId": 182778155,"Severity": 52,"SeverityName": "Informational","CloudPlatform": "Cormoranchoir","CloudService": "thismob","Disposition": "Passed","ResourceUrl": "significantparty","Finding": "naughtyposse","Tags": [{"Key": "theirbunch","ValueString": "whytroop"}],"ReportUrl": "variedday","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "elegantcase","offset": 1979368857,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "anypoint","HostnameField": "yourboy","UserName": "so fewworld","StartTimestamp": 1582830734,"AgentIdString": "proudboard"}} +{"metadata": {"customerIDString": "Hitlerianbeauty","offset": -596861980,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "Lilliputianslavery","HostnameField": "awfulwealth","UserName": "thatcafe","StartTimestamp": 1582830734,"AgentIdString": "theirslavery"}} +{"metadata": {"customerIDString": "itsconditioner","offset": 337202236,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "anyhorde","DetectName": "hundredsband","DetectDescription": "pasta child wisp knife book noise delay stack choir apartment management toilet owl idea account host man street time park window part shinyroom","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Intelligentpod?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 50,"SeverityName": "Informational","Tactic": "hundredspyramid","Technique": "Spanishpacket","Objective": "therechild","SourceAccountDomain": "howrange","SourceAccountName": "ourloss","SourceAccountObjectSid": "thattravel","SourceEndpointAccountObjectGuid": "outrageousbottle","SourceEndpointAccountObjectSid": "mystring","SourceEndpointHostName": "clearbook","SourceEndpointIpAddress": "31.228.65.165","SourceEndpointSensorId": "Christianidea","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "sparsebowl","PatternId": 1619711707}} +{"metadata": {"customerIDString": "nocast","offset": 179318870,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "anythingapple","MobileDetectionId": -1512737247,"ComputerName": "poisedcast","UserName": "substantialposse","ContextTimeStamp": 1649061056,"DetectId": "anyonedynasty","DetectName": "everyonebakery","DetectDescription": "trip place train kindness luxury doctor religion wherebattery","Tactic": "filthything","TacticId": "spottedpiano","Technique": "Aristoteliangrade","TechniqueId": "thesepack","Objective": "eachcrowd","Severity": 24,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/over therecase?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "smilingscold","AndroidAppLabel": "enough ofmovement","DexFileHashes": "nobodytrip","ImageFileName": "dangerousgeneration","AppInstallerInformation": "hisliterature","IsBeingDebugged": false,"AndroidAppVersionName": "thatgalaxy","IsContainerized": false}]}} +{"metadata": {"customerIDString": "manycrowd","offset": -1012940335,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Senegalesepoverty","UserIp": "33.18.5.30","OperationName": "activateUser","ServiceName": "detections","AuditKeyValues": [{"Key": "nonechild","ValueString": "fewflour"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "embarrassedtable"}}} +{"metadata": {"customerIDString": "whichdisregard","offset": 990227271,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "whichparty","HostnameField": "whybrilliance","UserName": "thoughtfulnumber","StartTimestamp": 1582830734,"AgentIdString": "nobodyart"}} +{"metadata": {"customerIDString": "yourbouquet","offset": -209806479,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "gentlequiver","State": "closed","FineScore": 7.892927816545352,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "somework","HostID": "nonestand","LMHostIDs": ["enoughtravel"],"UserId": "allclass"}} +{"metadata": {"customerIDString": "someoneproblem","offset": -1098262491,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "whatmotherhood","DataDomains": "Network","Description": "envy wealth shower fun board way case couch seed hail friend batch punctuation elegance party progress game neck friendship whosegossip","DetectId": "Canadiantiming","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "199.170.95.179","HostNames": "over therepanther","Name": "emptytroupe","PatternId": 2094324087,"Severity": 100,"SourceProducts": "hugepod","SourceVendors": "nobodyorchard","StartTimeEpoch": 1643317697728000000,"TacticIds": "anystrawberry","Tactics": "anyfact","TechniqueIds": "whybook","Techniques": "hissheaf","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "somebodyslavery","offset": 1805861405,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "hereweek","UserIp": "145.167.22.95","OperationName": "grantCustomerSubscriptions","ServiceName": "detections","AuditKeyValues": [{"Key": "Beethoveniangeneration","ValueString": "littleapp"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "whyhusband"}}} +{"metadata": {"customerIDString": "theremurder","offset": -1369577687,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "somedeskpath","MobileDetectionId": -254520824,"ComputerName": "herechoir","UserName": "severalband","ContextTimeStamp": 1649061056,"DetectId": "thisgalaxy","DetectName": "yourbevy","DetectDescription": "whereworld","Tactic": "carefullake","TacticId": "youridea","Technique": "sillyhand","TechniqueId": "severalroad","Objective": "whosehomework","Severity": 17,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Slovakcompany?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "thosetiger","AndroidAppLabel": "heavychild","DexFileHashes": "whereconfusion","ImageFileName": "Antarcticnest","AppInstallerInformation": "Elizabethanpencil","IsBeingDebugged": false,"AndroidAppVersionName": "thathost","IsContainerized": false}]}} +{"metadata": {"customerIDString": "whichregiment","offset": -1643404773,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whichdynasty","Region": "us-east-2","ResourceId": "howgroup","ResourceIdType": "myboat","ResourceName": "thisdesktop","ResourceCreateTime": 0,"PolicyStatement": "someonecase","PolicyId": -1541774944,"Severity": 77,"SeverityName": "Informational","CloudPlatform": "Benineseinfancy","CloudService": "whereproject","Disposition": "Passed","ResourceUrl": "fullsupermarket","Finding": "Lilliputianshampoo","Tags": [{"Key": "thatbody","ValueString": "thatradio"}],"ReportUrl": "itstroupe","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "realisticthrill","offset": -1392969674,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -1219808772,"ProcessEndTime": -1668559174,"ProcessId": 335206452,"ParentProcessId": 1114175168,"ComputerName": "manyfreedom","UserName": "hilariousboxers","DetectName": "Germanparty","DetectDescription": "luggage team flock driver weather cackle danger board art company donkey calm trip government oil stand leggings belt fewhost","Severity": 2,"SeverityName": "Medium","FileName": "handsometrip","FilePath": "herway\\handsometrip","CommandLine": "C:\\Windows\\wildcackle","SHA256String": "itspart","MD5String": "ourgoodness","SHA1String": "Newtoniandelay","MachineDomain": "doublebow","NetworkAccesses": [{"AccessType": -332802669,"AccessTimestamp": 1751371565,"Protocol": "everythingunion","LocalAddress": "184.181.7.56","LocalPort": 11688,"RemoteAddress": "19.40.4.204","RemotePort": 17734,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whichdynasty?_cid=xxxxxxx","SensorId": "Nepaleseharvest","IOCType": "hash_sha256","IOCValue": "itssmoke","DetectId": "thesedream","LocalIP": "213.173.16.80","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "Indonesiancrowd","Technique": "itsflock","Objective": "mystring","PatternDispositionDescription": "Shakespeareanmurder","PatternDispositionValue": -588935804,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": true,"Rooting": true,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "enough ofirritation","ParentCommandLine": "over theremob","GrandparentImageFileName": "exuberantleg","GrandparentCommandLine": "allcard","HostGroups": "wherebrace","AssociatedFile": "toughpacket","PatternId": 1308037568}} +{"metadata": {"customerIDString": "impromptushower","offset": 659051257,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1455768470,"ProcessEndTime": -266478582,"ProcessId": 1664722161,"ParentProcessId": -399833595,"ComputerName": "dizzyingreel","UserName": "whyplant","DetectName": "itbevy","DetectDescription": "bitterness work movement stream couch sedge hundredspaghetti","Severity": 3,"SeverityName": "Low","FileName": "whoseproblem","FilePath": "famouswidth\\whoseproblem","CommandLine": "C:\\Windows\\enough ofparty","SHA256String": "whosenoodles","MD5String": "anyoneheap","SHA1String": "Malagasyworld","MachineDomain": "toochest","NetworkAccesses": [{"AccessType": -995515466,"AccessTimestamp": 1751371565,"Protocol": "allteam","LocalAddress": "111.19.217.24","LocalPort": 53608,"RemoteAddress": "51.118.171.155","RemotePort": 2097,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/so fewsalary?_cid=xxxxxxx","SensorId": "allrainbow","IOCType": "command_line","IOCValue": "howjacket","DetectId": "thesebed","LocalIP": "22.0.228.148","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "whosecatalog","Technique": "importantclump","Objective": "whynature","PatternDispositionDescription": "husband pain class woman bouquet heralbum","PatternDispositionValue": 232362752,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": false},"ParentImageFileName": "severalkettle","ParentCommandLine": "anywall","GrandparentImageFileName": "Einsteinianwoman","GrandparentCommandLine": "mygate","HostGroups": "whycountry","AssociatedFile": "singlesmile","PatternId": 2086358591}} +{"metadata": {"customerIDString": "theirprofessor","offset": 567248240,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1774734214,"ProcessEndTime": 66307419,"ProcessId": -864884353,"ParentProcessId": -344829259,"ComputerName": "everythingtrade","UserName": "importantplane","DetectName": "anythingmob","DetectDescription": "woman owl mall racism leap host dog case company freedom child leap timing range physician number nurse stupidity quality work line cackle bundle itdog","Severity": 3,"SeverityName": "High","FileName": "hertime","FilePath": "allsink\\hertime","CommandLine": "C:\\Windows\\eacharmy","SHA256String": "everythingplace","MD5String": "somebodyparty","SHA1String": "herhospital","MachineDomain": "obedienthail","NetworkAccesses": [{"AccessType": -1032970588,"AccessTimestamp": 1751371565,"Protocol": "Tibetancrest","LocalAddress": "207.78.73.12","LocalPort": 48124,"RemoteAddress": "122.136.60.14","RemotePort": 41634,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thoseworld?_cid=xxxxxxx","SensorId": "Burkineselion","IOCType": "domain","IOCValue": "whosebale","DetectId": "Ecuadoriannap","LocalIP": "210.235.244.135","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "whichset","Technique": "Pacificregiment","Objective": "whichdress","PatternDispositionDescription": "place problem range game head horde congregation mustering clump hedge heap year bowl rain harvest board door scarycase","PatternDispositionValue": 1078801731,"PatternDispositionFlags": {"Indicator": false,"Detect": true,"InddetMask": true,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "everythingway","ParentCommandLine": "enoughweek","GrandparentImageFileName": "eachline","GrandparentCommandLine": "wheretime","HostGroups": "luckybrace","AssociatedFile": "hishelp","PatternId": 1211434267}} +{"metadata": {"customerIDString": "Salvadoreanstaff","offset": 103240762,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "lots ofpair","MobileDetectionId": 1671974311,"ComputerName": "whybowl","UserName": "severalfather","ContextTimeStamp": 1649061056,"DetectId": "whoseeye","DetectName": "fewflock","DetectDescription": "woman board cigarette bravery grains house buffalo software regiment life heroutfit","Tactic": "Turkishright","TacticId": "thisbunch","Technique": "heavilytheater","TechniqueId": "whatjustice","Objective": "Barcelonianheat","Severity": 95,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thoseline?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "whichkilometer","AndroidAppLabel": "anygrapes","DexFileHashes": "whicheye","ImageFileName": "Monacanbrace","AppInstallerInformation": "badcrew","IsBeingDebugged": false,"AndroidAppVersionName": "heavilywindow","IsContainerized": false}]}} +{"metadata": {"customerIDString": "inquiringproduction","offset": -1536141160,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "franticnation","DetectName": "mymilk","DetectDescription": "generosity hat army growth covey class galaxy batch cash child hail handle mustering shock congregation life way slavery herkey","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/kubanmob?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 30,"SeverityName": "Medium","Tactic": "Senegalesefact","Technique": "muchmovement","Objective": "thosecovey","SourceAccountDomain": "thesecovey","SourceAccountName": "itchysedge","SourceAccountObjectSid": "allomen","SourceEndpointAccountObjectGuid": "so fewgalaxy","SourceEndpointAccountObjectSid": "herenumber","SourceEndpointHostName": "someonecompany","SourceEndpointIpAddress": "195.86.72.168","SourceEndpointSensorId": "substantialnest","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "over theretroupe","PatternId": 660480024}} +{"metadata": {"customerIDString": "manyline","offset": -597466430,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "sufficientrestaurant","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\therebrilliance","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Endpoint","Description": "razor yard whatleap","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/howcompany?_cid=xxxxxxx","FileName": "Vietnamesecountry","FilePath": "Atlanticcorner\\Vietnamesecountry","FilesAccessed": [{"FileName": "Vietnamesecountry","FilePath": "Atlanticcorner\\Vietnamesecountry","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "Vietnamesecountry","FilePath": "Atlanticcorner\\Vietnamesecountry","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\thosepatrol","GrandParentImageFileName": "Putinisttrend","GrandParentImageFilePath": "itspants\\Putinisttrend","HostGroups": "yourbowl","Hostname": "funnygrandmother","LocalIP": "19.252.225.20","LocalIPv6": "233.205.254.213","LogonDomain": "theregenetics","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "herweek","Name": "everyblock","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1851110545,"ConnectionDirection": 0,"IsIPV6": false,"LocalAddress": "193.49.166.226","LocalPort": 38575,"Protocol": "foolishphone","RemoteAddress": "165.8.182.160","RemotePort": 78338}],"Objective": "wherestring","ParentCommandLine": "C:\\Windows\\Egyptiansedge\\fewpacket","ParentImageFileName": "fewpacket","ParentImageFilePath": "thatteam\\fewpacket","ParentProcessId": -1681528807,"PatternDispositionDescription": "murder card shoulder crowd quality work accommodation store host troop nap regiment patrol wood person selfishinnocence","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": false,"ContainmentFileSystem": true,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"InddetMask": true,"Indicator": true,"KillActionFailed": false,"KillParent": false,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": true,"Rooting": true,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": 429314125,"PatternId": -975789334,"PlatformId": "Turkishishviolin","PlatformName": "Windows","ProcessEndTime": 1850358469,"ProcessId": -672567725,"ProcessStartTime": 1587634620,"ReferrerUrl": "Machiavellianelephant","SHA1String": "anythingemployment","SHA256String": "yourwoman","Severity": 42,"SeverityName": "High","SourceProducts": "alltime","SourceVendors": "couplecaravan","Tactic": "everythingbook","Technique": "wherebird","Type": "ofp","UserName": "everybodyhorn"}} +{"metadata": {"customerIDString": "Torontoniancompany","offset": -1122039317,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "thosegenerosity","State": "closed","FineScore": 1.0608080377799243,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "muchclothing","HostID": "itparty","LMHostIDs": ["Antarcticcackle"],"UserId": "so fewharvest"}} +{"metadata": {"customerIDString": "thistiming","offset": -102202667,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "substantialjuice","UserID": "itsweather","ExecutionID": "nokindness","ReportID": "thesehorde","ReportName": "everyonebale","ReportType": "Sammarinesestaff","ReportFileReference": "attractivestaff","Status": "agreeableluck","StatusMessage": "smoggyfinger","ExecutionMetadata": {"ExecutionStart": 601517985,"ExecutionDuration": -709429405,"ReportFileName": "thatbook","ResultCount": 2084610239,"ResultID": "eachmistake","SearchWindowStart": 1734601028,"SearchWindowEnd": -846795858}}} +{"metadata": {"customerIDString": "severalweek","offset": -1707001885,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "Asiantime","IncidentDescription": "cast turkey battery troop aircraft host wisp oxygen whystack","Severity": 51,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "onejoy","UserName": "yourcackle","EndpointName": "energeticbread","EndpointIp": "195.147.210.179","Category": "Incidents","NumbersOfAlerts": 1268934402,"NumberOfCompromisedEntities": 1259764240,"State": "AUTO_RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hergalaxy?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "thatband","offset": 533280884,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "mytroop","Highlights": ["yourmercy"],"MatchedTimestamp": 1686889114000,"RuleId": "blushingstairs","RuleName": "Malagasykangaroo","RuleTopic": "everybodyright","RulePriority": "littletrip","ItemId": "whoselife","ItemType": "CS","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "thosecar","offset": 218160549,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "tooharvest","MobileDetectionId": 1430718232,"ComputerName": "yourleap","UserName": "Frenchtravel","ContextTimeStamp": 1649061056,"DetectId": "gorgeousmob","DetectName": "howcase","DetectDescription": "bale eye day dynasty laughter host number batch number place hand whichbouquet","Tactic": "Mozartianblock","TacticId": "emptyadult","Technique": "ourbody","TechniqueId": "darkarmy","Objective": "herepublicity","Severity": 76,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anythought?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "funnyzoo","AndroidAppLabel": "a little bitwork","DexFileHashes": "a lotaunt","ImageFileName": "ourchair","AppInstallerInformation": "significantpark","IsBeingDebugged": false,"AndroidAppVersionName": "onegenerosity","IsContainerized": true}]}} +{"metadata": {"customerIDString": "itpalm","offset": -734238846,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "somebodyfashion","HostnameField": "hispatrol","UserName": "thishospital","StartTimestamp": 1582830734,"AgentIdString": "yourhumour"}} +{"metadata": {"customerIDString": "Bahamianexaltation","offset": 546463509,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "whatcloud","UserID": "Ecuadorianflour","ExecutionID": "badenthusiasm","ReportID": "howhead","ReportName": "tamebunch","ReportType": "Sudaneseclass","ReportFileReference": "hiswallet","Status": "upsettime","StatusMessage": "significantchild","ExecutionMetadata": {"ExecutionStart": 580693909,"ExecutionDuration": 1591944777,"ReportFileName": "hiswings","ResultCount": -128959722,"ResultID": "theseshower","SearchWindowStart": -248440703,"SearchWindowEnd": -1685768217}}} +{"metadata": {"customerIDString": "whosepack","offset": -839551041,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "herresearch","PolicyId": 220036543,"PolicyStatement": "Burmesestream","CloudProvider": "ityear","CloudService": "Greekexaltation","Severity": 24,"SeverityName": "High","EventAction": "manybrace","EventSource": "over thereoil","EventCreatedTimestamp": 1663011160,"UserId": "whosedesktop","UserName": "herefarm","UserSourceIp": "223.97.203.172","Tactic": "significantworld","Technique": "wherebody"}} +{"metadata": {"customerIDString": "herhouse","offset": -1879896176,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "itcatalog","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\everybodyday","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "place group mustering coffee patrol fiction fun boy person life finger host exaltation exaltation person number galaxy candle case anthology howbunch","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/lightbevy?_cid=xxxxxxx","FileName": "everythinggovernment","FilePath": "theseparty\\everythinggovernment","FilesAccessed": [{"FileName": "everythinggovernment","FilePath": "theseparty\\everythinggovernment","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "everythinggovernment","FilePath": "theseparty\\everythinggovernment","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\anycash","GrandParentImageFileName": "anythinggang","GrandParentImageFilePath": "Englishwidth\\anythinggang","HostGroups": "jealouswad","Hostname": "whereteam","LocalIP": "121.150.104.60","LocalIPv6": "251.127.218.128","LogonDomain": "Salvadoreancongregation","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "Alaskanream","Name": "Vietnamesemustering","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1285794417,"ConnectionDirection": 2,"IsIPV6": true,"LocalAddress": "4.193.124.143","LocalPort": 87112,"Protocol": "itsnurse","RemoteAddress": "153.89.96.29","RemotePort": 70233}],"Objective": "wherealbum","ParentCommandLine": "C:\\Windows\\superloss\\herequiver","ParentImageFileName": "herequiver","ParentImageFilePath": "everybodybunch\\herequiver","ParentProcessId": -1276296253,"PatternDispositionDescription": "thosepacket","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": true,"KillActionFailed": false,"KillParent": true,"KillProcess": false,"KillSubProcess": false,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": false,"Rooting": true,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": 587089416,"PatternId": -873792023,"PlatformId": "lightmuster","PlatformName": "Linux","ProcessEndTime": -1943958440,"ProcessId": -478736025,"ProcessStartTime": 121329134,"ReferrerUrl": "enough ofsock","SHA1String": "somebodyyear","SHA256String": "nonestaff","Severity": 85,"SeverityName": "High","SourceProducts": "eachworld","SourceVendors": "everyonefleet","Tactic": "Balineseverb","Technique": "a littleidea","Type": "ldt","UserName": "whichpart"}} +{"metadata": {"customerIDString": "thesesugar","offset": -681064101,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "eachgang","DetectName": "someoneriches","DetectDescription": "a littletroop","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/itsriches?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 67,"SeverityName": "High","Tactic": "faithfulnutrition","Technique": "confusinggang","Objective": "whichleap","SourceAccountDomain": "somebodyday","SourceAccountName": "thesechildren","SourceAccountObjectSid": "uninterestedisland","SourceEndpointAccountObjectGuid": "allwidth","SourceEndpointAccountObjectSid": "itgoodness","SourceEndpointHostName": "gentlecontent","SourceEndpointIpAddress": "50.68.139.91","SourceEndpointSensorId": "theiregg","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "ourproblem","PatternId": 884624048}} +{"metadata": {"customerIDString": "Kyrgyzhen","offset": 797209955,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "alllondon","State": "closed","FineScore": 4.884978426181396,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "littlerange","HostID": "mymercy","LMHostIDs": ["manyreel"],"UserId": "ourhorse"}} +{"metadata": {"customerIDString": "allhandle","offset": -1304643313,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "pricklingtelevision","IncidentDescription": "park chest chest orange tribe nest appetite cap flock bread posse desk joy company dream rhythm patrol tongue hedge apartment whoseoffice","Severity": 32,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Rooseveltianreligion","UserName": "South Americanharvest","EndpointName": "powerlessday","EndpointIp": "250.221.185.73","Category": "Detections","NumbersOfAlerts": 62079556,"NumberOfCompromisedEntities": -2064797836,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thosepacket?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "allcloud","offset": 2057180769,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "oneproblem","UserIp": "6.9.195.182","OperationName": "resetAuthSecret","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "puzzledfrailty","ValueString": "Turkishbrilliance"}],"Attributes": {"actor_cid": "friendlylibrary","actor_user": "whatreligion","actor_user_uuid": "tensechild","app_id": "somebodyday","saml_assertion": "ouraddress","target_user": "mythrill","trace_id": "hisbunch"}}} +{"metadata": {"customerIDString": "thosearchipelago","offset": 1981280026,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "thattrust","HostnameField": "wearycongregation","UserName": "mushyhorde","StartTimestamp": 1582830734,"AgentIdString": "somepride"}} +{"metadata": {"customerIDString": "somepower","offset": 1411701757,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "Iranianpolice station","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\ourtaxi","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Endpoint","Description": "ittea","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/ourswimming pool?_cid=xxxxxxx","FileName": "Ecuadoriangroup","FilePath": "whosesmile\\Ecuadoriangroup","FilesAccessed": [{"FileName": "Ecuadoriangroup","FilePath": "whosesmile\\Ecuadoriangroup","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "Ecuadoriangroup","FilePath": "whosesmile\\Ecuadoriangroup","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\thesefork","GrandParentImageFileName": "a littlecabin","GrandParentImageFilePath": "handsomecatalog\\a littlecabin","HostGroups": "mostman","Hostname": "everybodyfleet","LocalIP": "189.29.8.130","LocalIPv6": "159.3.194.174","LogonDomain": "thosecase","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "manyphotographer","Name": "somebodynest","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1060505770,"ConnectionDirection": 0,"IsIPV6": true,"LocalAddress": "171.216.167.11","LocalPort": 82702,"Protocol": "halfmurder","RemoteAddress": "9.215.112.156","RemotePort": 74098}],"Objective": "itsfashion","ParentCommandLine": "C:\\Windows\\theirmotivation\\plenty ofmob","ParentImageFileName": "plenty ofmob","ParentImageFilePath": "expensivehand\\plenty ofmob","ParentProcessId": 1821586867,"PatternDispositionDescription": "table stack troop group cleverness clump time Congolesepack","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": true,"KillActionFailed": true,"KillParent": true,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": true,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": 656044748,"PatternId": -1504638547,"PlatformId": "yourdesk","PlatformName": "Windows","ProcessEndTime": -1683066086,"ProcessId": -611965295,"ProcessStartTime": -19010930,"ReferrerUrl": "thesehost","SHA1String": "whymotherhood","SHA256String": "herbird","Severity": 78,"SeverityName": "Low","SourceProducts": "whatharvest","SourceVendors": "everybodybank","Tactic": "plenty ofpanther","Technique": "itline","Type": "ofp","UserName": "theirjuice"}} +{"metadata": {"customerIDString": "howlibrary","offset": -1357596194,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "everybodycare","State": "closed","FineScore": 7.329323871679526,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "ourimagination","HostID": "whosechapter","LMHostIDs": ["wholelove"],"UserId": "whichdeer"}} +{"metadata": {"customerIDString": "therestove","offset": -1321825362,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -70758647,"ProcessEndTime": 1109602429,"ProcessId": -483490410,"ParentProcessId": -472945298,"ComputerName": "greenpyramid","UserName": "significantgroup","DetectName": "itslie","DetectDescription": "butter year troop troop bowl host marriage cluster egg page group equipment page sink parfume flock bevy year mustering rubbish band world muchline","Severity": 4,"SeverityName": "High","FileName": "abundantfish","FilePath": "severalrange\\abundantfish","CommandLine": "C:\\Windows\\halfdrum","SHA256String": "Bangladeshisorrow","MD5String": "wickedmeeting","SHA1String": "whoseboat","MachineDomain": "everybodyleap","NetworkAccesses": [{"AccessType": 1813273993,"AccessTimestamp": 1751371565,"Protocol": "richspelling","LocalAddress": "212.149.28.8","LocalPort": 17461,"RemoteAddress": "213.132.112.7","RemotePort": 75157,"ConnectionDirection": 0,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Danishchild?_cid=xxxxxxx","SensorId": "thoughtfulpolice","IOCType": "behavior","IOCValue": "nobodyscooter","DetectId": "yourhail","LocalIP": "113.246.231.18","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "anyoneheap","Technique": "shinycorner","Objective": "everycast","PatternDispositionDescription": "noise child leap week catalog basket shirt mob itshail","PatternDispositionValue": 1764829108,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": false,"SensorOnly": false,"Rooting": false,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "someonemistake","ParentCommandLine": "over therespaghetti","GrandparentImageFileName": "kindbowl","GrandparentCommandLine": "inquiringbrace","HostGroups": "over therescold","AssociatedFile": "hererubbish","PatternId": -493050193}} +{"metadata": {"customerIDString": "easyyear","offset": 1720121769,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "hereperson","IncidentDescription": "anger mile fun horror knowledge turkey horde wisp country enoughvest","Severity": 42,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "severalgarden","UserName": "howhail","EndpointName": "ourarmy","EndpointIp": "136.101.211.208","Category": "Incidents","NumbersOfAlerts": 646902721,"NumberOfCompromisedEntities": -1900425728,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/yourbunch?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "whoseflock","offset": -737457967,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "confusinghat","DetectName": "Japanesecheese","DetectDescription": "furniture nest wad comb casino man galaxy guilt ball body muster chest dynasty case club problem lips brace hail hat whichtennis","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thosegang?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 7,"SeverityName": "Informational","Tactic": "Middle Easterncompany","Technique": "Greekscold","Objective": "fewenthusiasm","SourceAccountDomain": "insufficientproblem","SourceAccountName": "theirwildlife","SourceAccountObjectSid": "thistolerance","SourceEndpointAccountObjectGuid": "theseswan","SourceEndpointAccountObjectSid": "Icelandiccrowd","SourceEndpointHostName": "Egyptianshower","SourceEndpointIpAddress": "253.226.103.104","SourceEndpointSensorId": "allcluster","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "howcoat","PatternId": 1827299863}} +{"metadata": {"customerIDString": "itchyfailure","offset": 1601443762,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "confusingquiver","DetectName": "wheresedge","DetectDescription": "board forest hedge motor juice troop desk thosesheaf","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/victoriouspack?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 56,"SeverityName": "High","Tactic": "hugeliter","Technique": "myregiment","Objective": "fantasticday","SourceAccountDomain": "itshost","SourceAccountName": "neitherposse","SourceAccountObjectSid": "poisedracism","SourceEndpointAccountObjectGuid": "anyonejuice","SourceEndpointAccountObjectSid": "singlenumber","SourceEndpointHostName": "yourgroup","SourceEndpointIpAddress": "126.48.118.213","SourceEndpointSensorId": "Finnishdoor","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "distinctwheat","PatternId": 776293127}} +{"metadata": {"customerIDString": "whatmob","offset": 385870836,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "itmilk","IncidentDescription": "chair sheaf mercy bravery body wisdom group Laotianscold","Severity": 34,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "jealoustraffic","UserName": "whyevidence","EndpointName": "itshedge","EndpointIp": "171.201.43.87","Category": "Incidents","NumbersOfAlerts": 409486886,"NumberOfCompromisedEntities": -221281473,"State": "AUTO_RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/uptightset?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "thoseroom (space)","offset": -1574265394,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "anynap","State": "open","FineScore": 0.9096205275042146,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "eithergeneration","HostID": "Romaniancoat","LMHostIDs": ["thoseracism"],"UserId": "fewscold"}} +{"metadata": {"customerIDString": "eachsheaf","offset": -179584100,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "ourexaltation","State": "closed","FineScore": 2.263076300759446,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "herecloud","HostID": "howbrace","LMHostIDs": ["singlearchipelago"],"UserId": "stupidmusic"}} +{"metadata": {"customerIDString": "gorgeousgrowth","offset": -1837342772,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "allrhythm","IncidentDescription": "economics mobile host covey whosegrade","Severity": 58,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "itspot","UserName": "manytennis","EndpointName": "purplekindness","EndpointIp": "162.164.166.132","Category": "Incidents","NumbersOfAlerts": -1223214221,"NumberOfCompromisedEntities": -1593909206,"State": "AUTO_RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/everyonecanoe?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "whybatch","offset": 56673093,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "Polynesianwhisker","UserID": "theirmusic","ExecutionID": "sparsecup","ReportID": "nobodydog","ReportName": "everyonegovernor","ReportType": "luckybook","ReportFileReference": "Romanirritation","Status": "itclump","StatusMessage": "Greekengine","ExecutionMetadata": {"ExecutionStart": -2030612385,"ExecutionDuration": -1051485609,"ReportFileName": "anythingparty","ResultCount": 977656925,"ResultID": "joyouspoint","SearchWindowStart": -201702444,"SearchWindowEnd": -515784341}}} +{"metadata": {"customerIDString": "jitteryparty","offset": 891806219,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "herefreedom","MobileDetectionId": -284098976,"ComputerName": "whatlife","UserName": "Canadianpad","ContextTimeStamp": 1649061056,"DetectId": "Newtonianbale","DetectName": "Hindumob","DetectDescription": "sedge crowd bed travel woman irritation eachhorde","Tactic": "severalannoyance","TacticId": "boredpack","Technique": "Romaniancaravan","TechniqueId": "elegantway","Objective": "whoselitter","Severity": 30,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anythingbunch?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "jealousbuckles","AndroidAppLabel": "somebodyfashion","DexFileHashes": "thisanimal","ImageFileName": "thesedelay","AppInstallerInformation": "littlestreet","IsBeingDebugged": true,"AndroidAppVersionName": "franticgovernment","IsContainerized": true}]}} +{"metadata": {"customerIDString": "nonemuster","offset": 1418673639,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "whichcollege","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\Bismarckianclass","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "bravery newspaper shark belief shower way block cast talent method catalog expensiveharvest","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anyonegrandmother?_cid=xxxxxxx","FileName": "someonerelaxation","FilePath": "Braziliancare\\someonerelaxation","FilesAccessed": [{"FileName": "someonerelaxation","FilePath": "Braziliancare\\someonerelaxation","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "someonerelaxation","FilePath": "Braziliancare\\someonerelaxation","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\theseshrimp","GrandParentImageFileName": "numerousproblem","GrandParentImageFilePath": "coupleream\\numerousproblem","HostGroups": "everybodyjoy","Hostname": "manygroup","LocalIP": "244.202.247.147","LocalIPv6": "117.38.247.225","LogonDomain": "anythingbatch","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "anypod","Name": "someonebill","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 725548536,"ConnectionDirection": 2,"IsIPV6": true,"LocalAddress": "65.212.62.175","LocalPort": 6696,"Protocol": "whatarmy","RemoteAddress": "100.140.94.153","RemotePort": 19149}],"Objective": "mostpod","ParentCommandLine": "C:\\Windows\\Buddhistjourney\\enough ofring","ParentImageFileName": "enough ofring","ParentImageFilePath": "theirveterinarian\\enough ofring","ParentProcessId": -1963109081,"PatternDispositionDescription": "car peace content mob itshedge","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": true,"CriticalProcessDisabled": false,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": true,"Indicator": true,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": true,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": -1990540011,"PatternId": -111455656,"PlatformId": "Tibetanmustering","PlatformName": "Windows","ProcessEndTime": -128599036,"ProcessId": -1265886666,"ProcessStartTime": -546870326,"ReferrerUrl": "theremotherhood","SHA1String": "theirgossip","SHA256String": "herhail","Severity": 20,"SeverityName": "Critical","SourceProducts": "someonecongregation","SourceVendors": "yourtrend","Tactic": "ourstand","Technique": "wherefact","Type": "ldt","UserName": "theseaccommodation"}} +{"metadata": {"customerIDString": "therecast","offset": 436560948,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "wherejoy","UserIp": "67.147.40.168","OperationName": "deactivateUser","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "howgoal","ValueString": "so fewpainter"}],"Attributes": {"actor_cid": "whyhost","actor_user": "itshrimp","actor_user_uuid": "thistroupe","app_id": "thatslavery","saml_assertion": "thereblock","target_user": "everythingdesktop","trace_id": "abundantgold"}}} +{"metadata": {"customerIDString": "whosedog","offset": -51434368,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "brownroad","DataDomains": "Web","Description": "advice party school time ability troop over therehand","DetectId": "a lotpod","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "207.123.190.249","HostNames": "illdetermination","Name": "someliterature","PatternId": -791998758,"Severity": 96,"SourceProducts": "noplant","SourceVendors": "significantjoy","StartTimeEpoch": 1643317697728000000,"TacticIds": "fewswan","Tactics": "whereheap","TechniqueIds": "whichgroup","Techniques": "foolishbravery","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "whyday","offset": -664178279,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "howparty","IncidentDescription": "economics way man pack scold estate head senator nobodyscold","Severity": 1,"SeverityName": "High","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "over therewoman","UserName": "fewheap","EndpointName": "nobodypod","EndpointIp": "46.13.136.7","Category": "Detections","NumbersOfAlerts": -696499701,"NumberOfCompromisedEntities": 1805542781,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/strangehost?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "therefriend","offset": -1497602444,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "over therebale","PolicyId": 398479010,"PolicyStatement": "thoseman","CloudProvider": "Tibetandog","CloudService": "eachcollection","Severity": 75,"SeverityName": "Informational","EventAction": "Belgiansmoke","EventSource": "somebodyshop","EventCreatedTimestamp": 1663011160,"UserId": "grievingsorrow","UserName": "anythinglove","UserSourceIp": "242.113.20.164","Tactic": "South Americancollection","Technique": "friendlyomen"}} +{"metadata": {"customerIDString": "mylitter","offset": -1538076175,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "Einsteinianfood","MobileDetectionId": -428079410,"ComputerName": "abundantdynasty","UserName": "allexaltation","ContextTimeStamp": 1649061056,"DetectId": "Polynesianproblem","DetectName": "wheretrend","DetectDescription": "library shower company road quantity wheat crew friendship driver place cheese hisbundle","Tactic": "Newtoniandynasty","TacticId": "hugeregiment","Technique": "herfreedom","TechniqueId": "itsquiver","Objective": "whosetroop","Severity": 8,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/myring?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "therebale","AndroidAppLabel": "herewhale","DexFileHashes": "howbusiness","ImageFileName": "thosenest","AppInstallerInformation": "whatscold","IsBeingDebugged": false,"AndroidAppVersionName": "somebodygenetics","IsContainerized": false}]}} +{"metadata": {"customerIDString": "emptygirl","offset": -1078858329,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "howsock","Region": "us-east-1","ResourceId": "yourbridge","ResourceIdType": "Mozartianelephant","ResourceName": "ouralbum","ResourceCreateTime": 0,"PolicyStatement": "anyonearchipelago","PolicyId": -2073273875,"Severity": 62,"SeverityName": "Critical","CloudPlatform": "thereweekend","CloudService": "Dutchfinger","Disposition": "Failed","ResourceUrl": "shybook","Finding": "whattribe","Tags": [{"Key": "impossibleweek","ValueString": "Sri-Lankanstreet"}],"ReportUrl": "everybodyfarm","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "Turkishishschool","offset": -370801054,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "everybodyfailure","State": "open","FineScore": 8.873186554562794,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "aliveplant","HostID": "yoursister","LMHostIDs": ["whereway"],"UserId": "wheretroupe"}} +{"metadata": {"customerIDString": "theresalary","offset": 815788331,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "Germanschool","MobileDetectionId": -115710443,"ComputerName": "itfinger","UserName": "Bahraineancase","ContextTimeStamp": 1649061056,"DetectId": "howsolitude","DetectName": "whichbook","DetectDescription": "basket girl uncle nap wealth government wad board judge bevy bill wheremob","Tactic": "Buddhistexaltation","TacticId": "lonelycare","Technique": "thesecloud","TechniqueId": "thisyear","Objective": "halfdresser","Severity": 21,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Swisspharmacy?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "wheregovernment","AndroidAppLabel": "Turkishisharchipelago","DexFileHashes": "Chinesecompany","ImageFileName": "Turkishworld","AppInstallerInformation": "severaldynasty","IsBeingDebugged": true,"AndroidAppVersionName": "healthyprogress","IsContainerized": true}]}} +{"metadata": {"customerIDString": "nonebale","offset": -2133110234,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "hereseafood","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\muchchair","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Endpoint","Description": "shower courage engine card work teen model apartment trade choir week problem air stack justice judge employment energy thought rain silence whatkeyboard","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/myline?_cid=xxxxxxx","FileName": "noneanthology","FilePath": "mostband\\noneanthology","FilesAccessed": [{"FileName": "noneanthology","FilePath": "mostband\\noneanthology","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "noneanthology","FilePath": "mostband\\noneanthology","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\everyonehedge","GrandParentImageFileName": "blueeye","GrandParentImageFilePath": "whatpacket\\blueeye","HostGroups": "wrongpig","Hostname": "somebodyslavery","LocalIP": "101.92.145.139","LocalIPv6": "30.170.92.115","LogonDomain": "mostcluster","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "successfulorchard","Name": "nonebunch","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 554946842,"ConnectionDirection": 1,"IsIPV6": true,"LocalAddress": "202.184.134.128","LocalPort": 34295,"Protocol": "Viennesesuit","RemoteAddress": "232.12.48.190","RemotePort": 74499}],"Objective": "over therecompany","ParentCommandLine": "C:\\Windows\\ourlips\\thesecongregation","ParentImageFileName": "thesecongregation","ParentImageFilePath": "healthynumber\\thesecongregation","ParentProcessId": 399241102,"PatternDispositionDescription": "clump company mistake care flock magic ream cleverness hereteam","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": false,"KillActionFailed": false,"KillParent": false,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": true,"Rooting": true,"SensorOnly": true,"SuspendParent": false,"SuspendProcess": true},"PatternDispositionValue": -754077962,"PatternId": 1029999168,"PlatformId": "arrogantchild","PlatformName": "Linux","ProcessEndTime": -752741724,"ProcessId": 1376366651,"ProcessStartTime": -703921002,"ReferrerUrl": "doublehorror","SHA1String": "doublegroup","SHA256String": "theirconfusion","Severity": 88,"SeverityName": "High","SourceProducts": "Indianwoman","SourceVendors": "Torontonianblock","Tactic": "itresearch","Technique": "sufficientscold","Type": "ldt","UserName": "lots ofshampoo"}} +{"metadata": {"customerIDString": "whatexaltation","offset": 1424415311,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "Belgianvase","DataDomains": "Identity","Description": "leap host herbs forest voice mob road tail string metal fact news cow candle stomach fork mouse plane man fiction ream childhood South Americancarrot","DetectId": "somebrass","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "17.223.189.67","HostNames": "wherelibrary","Name": "thosebody","PatternId": 662283914,"Severity": 86,"SourceProducts": "itsister","SourceVendors": "darkcar","StartTimeEpoch": 1643317697728000000,"TacticIds": "powerlesscleverness","Tactics": "Lebanesegenetics","TechniqueIds": "itsgrowth","Techniques": "Burmesecompany","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "mytea","offset": 4862485,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "whycollection","DataDomains": "Identity","Description": "pronunciation friend brace couch wound anger work tooblock","DetectId": "itpacket","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "72.3.207.246","HostNames": "nobodywoman","Name": "expensivething","PatternId": -1544135566,"Severity": 14,"SourceProducts": "blushingpair","SourceVendors": "troublingbale","StartTimeEpoch": 1643317697728000000,"TacticIds": "mycackle","Tactics": "enviousstack","TechniqueIds": "therecare","Techniques": "fewbale","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "Putiniststairs","offset": -1371928211,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "Putinistbusiness","Highlights": ["Tibetanwork"],"MatchedTimestamp": 1686889114000,"RuleId": "gentletroop","RuleName": "whatway","RuleTopic": "preciousroom (space)","RulePriority": "anyhandle","ItemId": "herwound","ItemType": "SCRAPPY","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "Honduranbrother","offset": 781879607,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "Aristotelianmoonlight","State": "closed","FineScore": 5.7330111560525605,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "ourfact","HostID": "theirinnocence","LMHostIDs": ["hundredcar"],"UserId": "puzzledpack"}} +{"metadata": {"customerIDString": "Colombianday","offset": -1815194109,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "substantialthing","UserID": "whosebevy","ExecutionID": "enough ofrhythm","ReportID": "Gabonesepatrol","ReportName": "itunemployment","ReportType": "thesesunshine","ReportFileReference": "whattime","Status": "whatriches","StatusMessage": "itquantity","ExecutionMetadata": {"ExecutionStart": 31416634,"ExecutionDuration": -560350705,"ReportFileName": "singlemuster","ResultCount": 516844617,"ResultID": "thispoint","SearchWindowStart": -1602411656,"SearchWindowEnd": 544449251}}} +{"metadata": {"customerIDString": "noneblock","offset": 1561697687,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "everyonetroop","PolicyId": 588847273,"PolicyStatement": "whosedetermination","CloudProvider": "Iraniancorner","CloudService": "hischild","Severity": 94,"SeverityName": "Informational","EventAction": "brightcomb","EventSource": "successfulbattery","EventCreatedTimestamp": 1663011160,"UserId": "whichband","UserName": "Philippinemetal","UserSourceIp": "4.57.181.164","Tactic": "myplace","Technique": "Finnishflock"}} +{"metadata": {"customerIDString": "youryear","offset": -85722046,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "yourclass","CustomerId": "happyfleet","Ipv": "176.51.58.252","CommandLine": "wherecongregation","ConnectionDirection": "0","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": true,"Log": true,"Monitor": false},"HostName": "jealousperson","ICMPCode": "Laotianchoir","ICMPType": "whycare","ImageFileName": "hiswildlife","LocalAddress": "104.238.18.196","LocalPort": "19032","MatchCount": -1515421592,"MatchCountSinceLastReport": -1616283640,"NetworkProfile": "Colombianluggage","PID": "94572158","PolicyName": "Turkmenoil","PolicyID": "thoughtfultroupe","Protocol": "Intelligentwatch","RemoteAddress": "52.132.67.64","RemotePort": "51983","RuleAction": "hischild","RuleDescription": "collection number choir troupe trip kindness crew house packet patience string nest idea block stand choir chest crew exaltation loss somebodygrammar","RuleFamilyID": "plaineye","RuleGroupName": "whatfact","RuleName": "whoseparrot","RuleId": "alivegroup","Status": "fewspeed","Timestamp": 1751371830,"TreeID": "hisgroup"}} +{"metadata": {"customerIDString": "neitherchocolate","offset": -372118937,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "mynest","DataDomains": "Web","Description": "howarmy","DetectId": "heavycackle","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "32.137.213.181","HostNames": "itparty","Name": "mycackle","PatternId": 1905558942,"Severity": 91,"SourceProducts": "whichapp","SourceVendors": "heavyrabbit","StartTimeEpoch": 1643317697728000000,"TacticIds": "somesunshine","Tactics": "Kazakhscold","TechniqueIds": "howchildhood","Techniques": "myability","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "Machiavellianunion","offset": 718725590,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "fewgain","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\eachsuccess","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "part ball gun wisp ring welfare pollution truth mistake shower library tolerance harm right basket magic outfit hail company severaleye","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/noneprogram?_cid=xxxxxxx","FileName": "howpair","FilePath": "whosewisp\\howpair","FilesAccessed": [{"FileName": "howpair","FilePath": "whosewisp\\howpair","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "howpair","FilePath": "whosewisp\\howpair","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\herdaughter","GrandParentImageFileName": "numerouscrowd","GrandParentImageFilePath": "itday\\numerouscrowd","HostGroups": "Thatcheriteboots","Hostname": "yourcandy","LocalIP": "135.58.92.156","LocalIPv6": "15.33.0.192","LogonDomain": "wideimagination","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "thesegrowth","Name": "couplecorruption","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -241703332,"ConnectionDirection": 2,"IsIPV6": false,"LocalAddress": "57.167.195.249","LocalPort": 1966,"Protocol": "Atlanticeconomics","RemoteAddress": "57.65.238.143","RemotePort": 8822}],"Objective": "innocentfactory","ParentCommandLine": "C:\\Windows\\thatdisregard\\over therelove","ParentImageFileName": "over therelove","ParentImageFilePath": "Spanishspoon\\over therelove","ParentProcessId": -536072046,"PatternDispositionDescription": "murder employment poverty harvest regiment way film band wisp tendertrade","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": false,"KillActionFailed": true,"KillParent": true,"KillProcess": true,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": -663700974,"PatternId": -805101681,"PlatformId": "Uzbekrhythm","PlatformName": "Linux","ProcessEndTime": 894808581,"ProcessId": 1925024249,"ProcessStartTime": -663184419,"ReferrerUrl": "itstime","SHA1String": "howcash","SHA256String": "Finnishtelephone","Severity": 52,"SeverityName": "Low","SourceProducts": "anyoneunion","SourceVendors": "doublehat","Tactic": "thatwisdom","Technique": "condemnedlack","Type": "ldt","UserName": "yourgiraffe"}} +{"metadata": {"customerIDString": "Alpinejuice","offset": 1855175240,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "lots ofroom","UserIp": "92.175.29.158","OperationName": "activateUser","ServiceName": "detections","AuditKeyValues": [{"Key": "howbody","ValueString": "whoseregiment"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "manyhost"}}} +{"metadata": {"customerIDString": "uninterestedpack","offset": 1982331356,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "muchsandwich","HostnameField": "myslavery","UserName": "disgustingtime","StartTimestamp": 1582830734,"AgentIdString": "herstairs"}} +{"metadata": {"customerIDString": "plenty ofkindness","offset": 1560495884,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "herecase","DataDomains": "Network","Description": "Machiavellianchild","DetectId": "Laotiancrew","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "0.78.113.82","HostNames": "greatcrib","Name": "itsears","PatternId": 1839132024,"Severity": 62,"SourceProducts": "Danishhatred","SourceVendors": "whatmurder","StartTimeEpoch": 1643317697728000000,"TacticIds": "thistowel","Tactics": "whybook","TechniqueIds": "Kazakhbody","Techniques": "thattrend","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "hereway","offset": 1024865088,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "wheredivorce","State": "open","FineScore": 2.484165845727425,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "thoughtfulparty","HostID": "Bangladeshihost","LMHostIDs": ["obnoxiousexaltation"],"UserId": "theirdishonesty"}} +{"metadata": {"customerIDString": "thatcabin","offset": -1711944094,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "everybodylemon","DataDomains": "Endpoint","Description": "sheaf part donkey bowl laptop anthology Swisscomb","DetectId": "mywelfare","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "218.87.202.198","HostNames": "Thaibattery","Name": "whichbuilding","PatternId": -458966363,"Severity": 4,"SourceProducts": "ourwealth","SourceVendors": "condemnedcloud","StartTimeEpoch": 1643317697728000000,"TacticIds": "whatphysician","Tactics": "anythingtrust","TechniqueIds": "whatgroup","Techniques": "whichdeceit","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "allexaltation","offset": -1520957765,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1973750771,"ProcessEndTime": 1601414674,"ProcessId": -1735927873,"ParentProcessId": -75612841,"ComputerName": "Afghancast","UserName": "whatharvest","DetectName": "Atlanteanman","DetectDescription": "whichchild","Severity": 3,"SeverityName": "Informational","FileName": "hereteam","FilePath": "everythingimagination\\hereteam","CommandLine": "C:\\Windows\\alldeceit","SHA256String": "Himalayanquiver","MD5String": "sorebird","SHA1String": "Asiananimal","MachineDomain": "Frenchpanda","NetworkAccesses": [{"AccessType": -622454208,"AccessTimestamp": 1751371565,"Protocol": "lightcamp","LocalAddress": "177.92.161.233","LocalPort": 35168,"RemoteAddress": "225.125.142.102","RemotePort": 79066,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/innocentinfancy?_cid=xxxxxxx","SensorId": "hereworld","IOCType": "command_line","IOCValue": "whatmonkey","DetectId": "heretomato","LocalIP": "176.173.231.175","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "thisappetite","Technique": "whylife","Objective": "hisbale","PatternDispositionDescription": "bouquet professor spoon man stack street stand exaltation soup patrol way bale bunch class pack galaxy host party violence fewshorts","PatternDispositionValue": 860253238,"PatternDispositionFlags": {"Indicator": false,"Detect": true,"InddetMask": false,"SensorOnly": true,"Rooting": true,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "eachfashion","ParentCommandLine": "whichcast","GrandparentImageFileName": "whatcompany","GrandparentCommandLine": "someoneforest","HostGroups": "Thatcheritetroop","AssociatedFile": "Cypriotclass","PatternId": 839535497}} +{"metadata": {"customerIDString": "Beninesechair","offset": -2075627414,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "mysunshine","DataDomains": "Endpoint","Description": "way cackle yoga posse battery murder mob horror goal year couch pharmacy caravan software fire world over thereboard","DetectId": "anyjoy","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "15.43.188.247","HostNames": "a littlechaos","Name": "cautiouspancake","PatternId": -1322158317,"Severity": 91,"SourceProducts": "theremagic","SourceVendors": "adorablebutter","StartTimeEpoch": 1643317697728000000,"TacticIds": "nobodypollution","Tactics": "toohorror","TechniqueIds": "howwisp","Techniques": "allshower","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "thisshirt","offset": -1459608883,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "Orwellianweather","CustomerId": "myteam","Ipv": "80.161.14.82","CommandLine": "Monacanwork","ConnectionDirection": "0","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": false,"Log": true,"Monitor": true},"HostName": "everyoneloneliness","ICMPCode": "thosepack","ICMPType": "therescold","ImageFileName": "itschild","LocalAddress": "97.233.247.218","LocalPort": "59287","MatchCount": -752703552,"MatchCountSinceLastReport": 1362140228,"NetworkProfile": "whichpod","PID": "1335199845","PolicyName": "Greekcompany","PolicyID": "toughcase","Protocol": "Canadianenergy","RemoteAddress": "42.122.0.30","RemotePort": "45924","RuleAction": "yourpigeon","RuleDescription": "bush part bundle woman thosetrip","RuleFamilyID": "itidea","RuleGroupName": "dangeroussnow","RuleName": "Hitlerianchildhood","RuleId": "lazyoil","Status": "howteam","Timestamp": 1751371830,"TreeID": "thesenumber"}} +{"metadata": {"customerIDString": "somebodyfreedom","offset": 43657060,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "over thereyear","UserID": "Guyanesebouquet","ExecutionID": "heavilyunion","ReportID": "tensereligion","ReportName": "hishost","ReportType": "whygroup","ReportFileReference": "livelyarmy","Status": "eachboard","StatusMessage": "howpod","ExecutionMetadata": {"ExecutionStart": -1103599907,"ExecutionDuration": 148919912,"ReportFileName": "hergirl","ResultCount": -1505061778,"ResultID": "substantialcaravan","SearchWindowStart": -1306083482,"SearchWindowEnd": -1762388995}}} +{"metadata": {"customerIDString": "muchspeed","offset": 2021566226,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "herehail","IncidentDescription": "temple part class government caravan lawn mustering fleet aid house horde wisp life wood lie wisp camp hail power child envy flock tameeye","Severity": 18,"SeverityName": "Informational","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Rooseveltiangovernment","UserName": "worrisomepigeon","EndpointName": "theseedge","EndpointIp": "253.204.237.58","Category": "Incidents","NumbersOfAlerts": 1612452297,"NumberOfCompromisedEntities": -606725477,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/mygroup?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "whichmuster","offset": 970552522,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "thatlibrary","IncidentDescription": "sheaf tablet spot riches mercy fact irritation school dream lighter wad set regiment face stand galaxy party host head set horde scold fewrubbish","Severity": 36,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "itswisp","UserName": "somegrandmother","EndpointName": "fewxylophone","EndpointIp": "134.186.0.23","Category": "Incidents","NumbersOfAlerts": -773093891,"NumberOfCompromisedEntities": 284406,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Monacanobesity?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "hersleep","offset": 2117033481,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "yourtrip","DataDomains": "Identity","Description": "village congregation emptylaughter","DetectId": "anyheap","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "151.18.34.14","HostNames": "hundredregiment","Name": "whyhand","PatternId": 96844202,"Severity": 29,"SourceProducts": "mycourage","SourceVendors": "heavilytrain","StartTimeEpoch": 1643317697728000000,"TacticIds": "ournumber","Tactics": "impromptucluster","TechniqueIds": "wherepacket","Techniques": "lighthand","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "severalcast","offset": -2011435482,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "muchnest","HostnameField": "thesewit","UserName": "nobodyband","StartTimestamp": 1582830734,"AgentIdString": "theredeceit"}} +{"metadata": {"customerIDString": "whycat","offset": -1991816859,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "itsyear","State": "open","FineScore": 8.621264100330867,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "Danishnation","HostID": "whoseday","LMHostIDs": ["everythingbook"],"UserId": "someenergy"}} +{"metadata": {"customerIDString": "Beethovenianjoy","offset": 1291930396,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "concerningparrot","CustomerId": "purplecup","Ipv": "25.130.123.155","CommandLine": "itswood","ConnectionDirection": "0","EventType": "FirewallRuleIP6Matched","Flags": {"Audit": true,"Log": true,"Monitor": false},"HostName": "theregroup","ICMPCode": "howkangaroo","ICMPType": "Americanthing","ImageFileName": "whichcluster","LocalAddress": "168.220.113.250","LocalPort": "17728","MatchCount": -1354762399,"MatchCountSinceLastReport": 1795572098,"NetworkProfile": "sometea","PID": "1693870489","PolicyName": "fewold age","PolicyID": "thereworld","Protocol": "Africanbunch","RemoteAddress": "139.83.198.250","RemotePort": "37436","RuleAction": "stormyteam","RuleDescription": "range pain brace set town eye ball way government band cluster speed corner comb thing host weight wickedgalaxy","RuleFamilyID": "healthytime","RuleGroupName": "Turkishishadvice","RuleName": "strangepack","RuleId": "comfortableway","Status": "severalchest","Timestamp": 1751371830,"TreeID": "powerlesscovey"}} +{"metadata": {"customerIDString": "Japanesethrill","offset": 1084205992,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "wherering","UserIp": "209.232.50.163","OperationName": "grantUserRoles","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "itsloneliness","ValueString": "whoseorange"}],"Attributes": {"actor_cid": "Chinesecaravan","actor_user": "wholepair","actor_user_uuid": "yourexaltation","app_id": "tastycare","saml_assertion": "Colombianbucket","target_user": "Slovakbook","trace_id": "thesehost"}}} +{"metadata": {"customerIDString": "itsplant","offset": 2042161910,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -1616413875,"ProcessEndTime": 109600100,"ProcessId": -41791688,"ParentProcessId": -88364674,"ComputerName": "hiselectricity","UserName": "disgustingwork","DetectName": "howcrowd","DetectDescription": "cheeks relaxation time basket yoga party bunch shower head tribe place wolf pack set company train divorce body day comfort obesity range chest theirstress","Severity": 1,"SeverityName": "Medium","FileName": "adventuroustrip","FilePath": "Dutchposse\\adventuroustrip","CommandLine": "C:\\Windows\\cutebelief","SHA256String": "therebundle","MD5String": "somebodycongregation","SHA1String": "wherewit","MachineDomain": "Muscoviteperson","NetworkAccesses": [{"AccessType": -1608469328,"AccessTimestamp": 1751371565,"Protocol": "mycleverness","LocalAddress": "133.71.68.246","LocalPort": 72747,"RemoteAddress": "37.194.48.145","RemotePort": 78870,"ConnectionDirection": 2,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whatluck?_cid=xxxxxxx","SensorId": "thosefilm","IOCType": "behavior","IOCValue": "Cormoranjustice","DetectId": "inquiringplant","LocalIP": "143.246.203.58","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "herbundle","Technique": "Thatcheritehumour","Objective": "a little bitsalt","PatternDispositionDescription": "loss galaxy life woman scheme place son thing eye bag mob muster freedom luxury day economics exaltation care wheat mercy blouse orchard team nobodypleasure","PatternDispositionValue": 213000018,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": true,"Rooting": false,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "theirwoman","ParentCommandLine": "Englishdoor","GrandparentImageFileName": "nocompany","GrandparentCommandLine": "mypoint","HostGroups": "halfteam","AssociatedFile": "hisbale","PatternId": -612094550}} +{"metadata": {"customerIDString": "whosesilence","offset": -1101819049,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "thiselection","DetectName": "therebevy","DetectDescription": "wisp tolerance muster cautiouspatrol","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/somebodymother?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 12,"SeverityName": "High","Tactic": "Englishhail","Technique": "yourtrend","Objective": "yellowhat","SourceAccountDomain": "brightboy","SourceAccountName": "theirchaise longue","SourceAccountObjectSid": "whosebasket","SourceEndpointAccountObjectGuid": "Thatcheriteproblem","SourceEndpointAccountObjectSid": "thosepatrol","SourceEndpointHostName": "thoselitter","SourceEndpointIpAddress": "214.134.146.212","SourceEndpointSensorId": "theirexaltation","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whynumber","PatternId": -1694512080}} +{"metadata": {"customerIDString": "luckyfriend","offset": -1320502072,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Peruvianfriend","Region": "us-west-2","ResourceId": "upsetadvice","ResourceIdType": "ourscold","ResourceName": "everybodyjealousy","ResourceCreateTime": 0,"PolicyStatement": "itswork","PolicyId": 1065593971,"Severity": 4,"SeverityName": "Low","CloudPlatform": "ourclump","CloudService": "Hitlerianjoy","Disposition": "Passed","ResourceUrl": "whoseluck","Finding": "Costa Ricanjustice","Tags": [{"Key": "histroop","ValueString": "theirband"}],"ReportUrl": "youngbunch","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "yournap","offset": 52775202,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "hereuncle","UserIp": "220.90.37.221","OperationName": "requestResetPassword","ServiceName": "detections","AuditKeyValues": [{"Key": "allpollution","ValueString": "yourwoman"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "whybow"}}} +{"metadata": {"customerIDString": "theirbevy","offset": -1067305303,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "thoughtfulcatalog","PolicyId": 2140486263,"PolicyStatement": "itsproject","CloudProvider": "whyidea","CloudService": "thosehand","Severity": 91,"SeverityName": "Medium","EventAction": "a little bittroupe","EventSource": "Turkishchild","EventCreatedTimestamp": 1663011160,"UserId": "whatconfusion","UserName": "whymirror","UserSourceIp": "112.140.0.11","Tactic": "thosecar","Technique": "openmonkey"}} +{"metadata": {"customerIDString": "Burkineseprogress","offset": -1876291398,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "famousanswer","Region": "us-east-2","ResourceId": "whosearchipelago","ResourceIdType": "ourhouse","ResourceName": "onething","ResourceCreateTime": 0,"PolicyStatement": "myhorror","PolicyId": -438619601,"Severity": 52,"SeverityName": "Informational","CloudPlatform": "whypermission","CloudService": "everybodygroup","Disposition": "Passed","ResourceUrl": "theircorner","Finding": "howregiment","Tags": [{"Key": "thismob","ValueString": "whatspeed"}],"ReportUrl": "theirenergy","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "knightlyplant","offset": -795467579,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "thoseteam","Highlights": ["hisfailure"],"MatchedTimestamp": 1686889114000,"RuleId": "wheretroupe","RuleName": "whichpod","RuleTopic": "thoughtfulfood","RulePriority": "eachwealth","ItemId": "whoseboard","ItemType": "CS","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "whosemurder","offset": -2040266645,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "Indonesianpart","HostnameField": "poisedchildren","UserName": "outrageousadvice","StartTimestamp": 1582830734,"AgentIdString": "whypoint"}} +{"metadata": {"customerIDString": "Elizabethanvision","offset": -1497924211,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 1607933238,"ProcessEndTime": -15463873,"ProcessId": -1301506679,"ParentProcessId": -896896464,"ComputerName": "somefriendship","UserName": "impromptuschool","DetectName": "Laotianwad","DetectDescription": "stand troupe muster brother party food thing pod problem library lamp posse pack scold point disregard mob time catalog life bunch leap significantpatience","Severity": 4,"SeverityName": "Critical","FileName": "pricklingboxers","FilePath": "thesefriend\\pricklingboxers","CommandLine": "C:\\Windows\\Torontonianmustering","SHA256String": "nobodywork","MD5String": "yourcompany","SHA1String": "whichcomb","MachineDomain": "numeroustime","NetworkAccesses": [{"AccessType": 679253587,"AccessTimestamp": 1751371565,"Protocol": "mymob","LocalAddress": "204.28.103.128","LocalPort": 40511,"RemoteAddress": "45.210.118.214","RemotePort": 39206,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/allgroup?_cid=xxxxxxx","SensorId": "howanger","IOCType": "filename","IOCValue": "whosepunctuation","DetectId": "fewbouquet","LocalIP": "66.102.253.111","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "hergroup","Technique": "howmustering","Objective": "over therejoy","PatternDispositionDescription": "traffic tomato vision foot seafood muster horn someoneidea","PatternDispositionValue": -1157171598,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": false,"SensorOnly": true,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": false,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "eachsand","ParentCommandLine": "oursolitude","GrandparentImageFileName": "knightlyweather","GrandparentCommandLine": "Uzbekexaltation","HostGroups": "Koreanusage","AssociatedFile": "whosebird","PatternId": 1345104076}} +{"metadata": {"customerIDString": "thereway","offset": -1246758550,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "howpack","Region": "us-west-1","ResourceId": "howweek","ResourceIdType": "Pacificsolitude","ResourceName": "theremarriage","ResourceCreateTime": 0,"PolicyStatement": "Vietnameseknife","PolicyId": -1724024903,"Severity": 75,"SeverityName": "Critical","CloudPlatform": "Turkmenway","CloudService": "therehelp","Disposition": "Failed","ResourceUrl": "histruth","Finding": "hundredsriches","Tags": [{"Key": "therestack","ValueString": "eachslippers"}],"ReportUrl": "lots ofbunch","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "faithfulbunch","offset": -1313057981,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "eachtomato","PolicyId": 1827925826,"PolicyStatement": "Egyptianbill","CloudProvider": "thesemob","CloudService": "somethrill","Severity": 31,"SeverityName": "Informational","EventAction": "heavilysedge","EventSource": "whatwad","EventCreatedTimestamp": 1663011160,"UserId": "everybodyday","UserName": "myhost","UserSourceIp": "180.130.45.111","Tactic": "anygroup","Technique": "itsparty"}} +{"metadata": {"customerIDString": "abundantcap","offset": 1987256938,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "plenty ofreligion","CustomerId": "wheregarage","Ipv": "240.12.98.92","CommandLine": "onemob","ConnectionDirection": "2","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": true,"Log": false,"Monitor": true},"HostName": "whycrew","ICMPCode": "plenty ofwit","ICMPType": "Guyanesepeace","ImageFileName": "hisenergy","LocalAddress": "171.220.213.231","LocalPort": "24578","MatchCount": 1544303582,"MatchCountSinceLastReport": -1943062570,"NetworkProfile": "severalstreet","PID": "1387435999","PolicyName": "nodress","PolicyID": "confusingsnowman","Protocol": "mycouch","RemoteAddress": "139.80.46.32","RemotePort": "11855","RuleAction": "ourhonesty","RuleDescription": "spottedfood","RuleFamilyID": "Colombianschool","RuleGroupName": "somewidth","RuleName": "grumpyweek","RuleId": "whichart","Status": "allnumber","Timestamp": 1751371830,"TreeID": "Iraqidog"}} +{"metadata": {"customerIDString": "anythinggang","offset": 702249484,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "thisimportance","MobileDetectionId": 564298668,"ComputerName": "Italianliterature","UserName": "whoseflock","ContextTimeStamp": 1649061056,"DetectId": "Rooseveltianstreet","DetectName": "whatwork","DetectDescription": "towel bird door whathost","Tactic": "shinybill","TacticId": "nonecurrency","Technique": "thesebook","TechniqueId": "oddmustering","Objective": "everybodysink","Severity": 97,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/allpair?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "severalset","AndroidAppLabel": "theiradvantage","DexFileHashes": "ourcare","ImageFileName": "heavychild","AppInstallerInformation": "eachwad","IsBeingDebugged": false,"AndroidAppVersionName": "howfire","IsContainerized": true}]}} +{"metadata": {"customerIDString": "anyyear","offset": -2097150535,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "hisworld","DataDomains": "Cloud","Description": "army lawyer friendship group time hedge job light line team wherepack","DetectId": "eitherbale","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "6.128.247.178","HostNames": "herroad","Name": "hertime","PatternId": 1611855996,"Severity": 13,"SourceProducts": "hisway","SourceVendors": "thosecompany","StartTimeEpoch": 1643317697728000000,"TacticIds": "lots ofbird","Tactics": "Victoriankilometer","TechniqueIds": "howclump","Techniques": "mybevy","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "Atlanticmustering","offset": 804608566,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "everythingposse","Region": "us-east-2","ResourceId": "whereleap","ResourceIdType": "thesehedge","ResourceName": "elatedbush","ResourceCreateTime": 0,"PolicyStatement": "allstand","PolicyId": 671230144,"Severity": 19,"SeverityName": "Low","CloudPlatform": "hereloneliness","CloudService": "everythingappetite","Disposition": "Passed","ResourceUrl": "howtroop","Finding": "fullyear","Tags": [{"Key": "sufficientharvest","ValueString": "emptynumber"}],"ReportUrl": "thosetraffic","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "Monacanarchipelago","offset": -798305790,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "fewannoyance","State": "closed","FineScore": 6.078521740200174,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "thischeese","HostID": "Marxistwad","LMHostIDs": ["anycarrot"],"UserId": "wholeroom"}} +{"metadata": {"customerIDString": "wherepacket","offset": 845841115,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "anyappetite","UserIp": "1.86.80.213","OperationName": "deactivateUser","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "eagerpod","ValueString": "littlemob"}],"Attributes": {"actor_cid": "herheart","actor_user": "tooweek","actor_user_uuid": "badnoise","app_id": "Swaziharm","saml_assertion": "Polishmob","target_user": "allcast","trace_id": "whatshop"}}} +{"metadata": {"customerIDString": "Orwellianmethod","offset": 574885279,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "fiercepleasure","State": "open","FineScore": 2.744330277602896,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "somepoint","HostID": "itsmember","LMHostIDs": ["singlefire"],"UserId": "over therehost"}} +{"metadata": {"customerIDString": "anyonetea","offset": 238823863,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "Plutonianscold","UserID": "somegang","ExecutionID": "lots ofcackle","ReportID": "anythingperson","ReportName": "whytheater","ReportType": "pricklingcaravan","ReportFileReference": "manybattery","Status": "whytribe","StatusMessage": "hisreel","ExecutionMetadata": {"ExecutionStart": -15392455,"ExecutionDuration": 888890225,"ReportFileName": "neitherforest","ResultCount": -594326357,"ResultID": "heregroup","SearchWindowStart": 865282015,"SearchWindowEnd": 2022399683}}} +{"metadata": {"customerIDString": "fewtroop","offset": -498457272,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "so fewlife","State": "closed","FineScore": 4.443175154365333,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "wherelife","HostID": "over theremistake","LMHostIDs": ["wherelife"],"UserId": "troublingbuffalo"}} +{"metadata": {"customerIDString": "myyoga","offset": 1439636240,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -2022562641,"ProcessEndTime": -1156665627,"ProcessId": -364850416,"ParentProcessId": 286295241,"ComputerName": "someonegenerosity","UserName": "gleamingtiming","DetectName": "allworld","DetectDescription": "street car brain set anthology set trousers thesedelay","Severity": 4,"SeverityName": "Medium","FileName": "somebodyarmy","FilePath": "muchanthology\\somebodyarmy","CommandLine": "C:\\Windows\\theseway","SHA256String": "manyparty","MD5String": "mostforest","SHA1String": "whystream","MachineDomain": "Brazilianhotel","NetworkAccesses": [{"AccessType": -770984556,"AccessTimestamp": 1751371565,"Protocol": "whatrange","LocalAddress": "97.122.36.88","LocalPort": 7374,"RemoteAddress": "170.55.197.77","RemotePort": 72679,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Burmeseman?_cid=xxxxxxx","SensorId": "emptykeyboard","IOCType": "hash_sha256","IOCValue": "enough ofobesity","DetectId": "over thererange","LocalIP": "234.220.4.208","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "plenty ofcare","Technique": "a little bitgalaxy","Objective": "Spanishpod","PatternDispositionDescription": "way battery frighteningwoman","PatternDispositionValue": 1535724418,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": false,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "therewad","ParentCommandLine": "itsanger","GrandparentImageFileName": "eachplane","GrandparentCommandLine": "Italiantrend","HostGroups": "whichostrich","AssociatedFile": "somedaughter","PatternId": 44914446}} +{"metadata": {"customerIDString": "helpfulreligion","offset": 366394011,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "muchfurniture","PolicyId": -2115267427,"PolicyStatement": "Cambodianpoint","CloudProvider": "yourrabbit","CloudService": "repellingcalm","Severity": 84,"SeverityName": "Informational","EventAction": "manyarchipelago","EventSource": "lightidea","EventCreatedTimestamp": 1663011160,"UserId": "thesepack","UserName": "grumpydollar","UserSourceIp": "197.194.169.131","Tactic": "Bahamianpain","Technique": "somebodypoverty"}} +{"metadata": {"customerIDString": "whereharm","offset": 182113224,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "luckydesigner","HostnameField": "wherecovey","UserName": "thoseplant","StartTimestamp": 1582830734,"AgentIdString": "grievingchild"}} +{"metadata": {"customerIDString": "herlife","offset": -1347839151,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -1472770705,"ProcessEndTime": -566264563,"ProcessId": -125042445,"ParentProcessId": 322626648,"ComputerName": "thosestream","UserName": "Bangladeshiline","DetectName": "fullcongregation","DetectDescription": "number religion waist advantage year farm posse chapter weight troop leap regiment bouquet annoyance father army gossip life remote greatarmy","Severity": 1,"SeverityName": "Critical","FileName": "blushingnumber","FilePath": "Turkishcollection\\blushingnumber","CommandLine": "C:\\Windows\\whatorange","SHA256String": "theirwisp","MD5String": "blackmustering","SHA1String": "whosescold","MachineDomain": "Gaussianostrich","NetworkAccesses": [{"AccessType": 1370136032,"AccessTimestamp": 1751371565,"Protocol": "therebale","LocalAddress": "81.200.104.45","LocalPort": 7611,"RemoteAddress": "208.226.76.212","RemotePort": 47016,"ConnectionDirection": 1,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Polynesianegg?_cid=xxxxxxx","SensorId": "anyanthology","IOCType": "hash_sha256","IOCValue": "insufficienthost","DetectId": "thatbevy","LocalIP": "12.99.213.236","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "theirwealth","Technique": "creepycouch","Objective": "anythinggalaxy","PatternDispositionDescription": "tie caravan plan school rhythm juice murder sunshine allcoat","PatternDispositionValue": 810334443,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": true,"SensorOnly": false,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "thereconfusion","ParentCommandLine": "uptightdream","GrandparentImageFileName": "theredamage","GrandparentCommandLine": "whymob","HostGroups": "superchest","AssociatedFile": "theseperson","PatternId": -1552948663}} +{"metadata": {"customerIDString": "mygarage","offset": 2045369704,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "somebodyfact","UserIp": "180.134.208.35","OperationName": "createUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "significantpacket","ValueString": "thesetime"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "plenty ofbrace"}}} +{"metadata": {"customerIDString": "Portuguesepod","offset": 1799846313,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 766986983,"ProcessEndTime": -1642400641,"ProcessId": -31713984,"ParentProcessId": 1064355819,"ComputerName": "Burkineseshower","UserName": "someoneschool","DetectName": "mywolf","DetectDescription": "alligator factory youth quiver happiness wings silence staff hand wealth life confusion muster idea bread packet woman whyhatred","Severity": 5,"SeverityName": "Informational","FileName": "thatarchipelago","FilePath": "itbeauty\\thatarchipelago","CommandLine": "C:\\Windows\\busyplace","SHA256String": "gorgeousgovernment","MD5String": "severaltroop","SHA1String": "whyjoy","MachineDomain": "hiscompany","NetworkAccesses": [{"AccessType": 229359115,"AccessTimestamp": 1751371565,"Protocol": "over therehedge","LocalAddress": "170.160.134.4","LocalPort": 13190,"RemoteAddress": "244.119.175.251","RemotePort": 33347,"ConnectionDirection": 2,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/over therepart?_cid=xxxxxxx","SensorId": "blushingpoint","IOCType": "hash_sha256","IOCValue": "somebodybunch","DetectId": "darksedge","LocalIP": "104.98.225.108","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "whosefleet","Technique": "sparseweek","Objective": "nobodyluxuty","PatternDispositionDescription": "pair congregation grains galaxy awareness effect electricity bookstore dentist pyramid nest fish man foot herinfancy","PatternDispositionValue": 1033554059,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": false,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "whydivorce","ParentCommandLine": "hersilence","GrandparentImageFileName": "itsorchard","GrandparentCommandLine": "herepack","HostGroups": "itwisdom","AssociatedFile": "thoseregiment","PatternId": -45878665}} +{"metadata": {"customerIDString": "everyonemother","offset": 165528476,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "anyonefield","UserIp": "247.105.81.226","OperationName": "requestResetPassword","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Pacificmustering","ValueString": "ourunion"}],"Attributes": {"actor_cid": "ourbasket","actor_user": "thisfilm","actor_user_uuid": "whatmuster","app_id": "uglyflock","saml_assertion": "yourparty","target_user": "Colombiancompany","trace_id": "itteam"}}} +{"metadata": {"customerIDString": "Iranianproblem","offset": 1095486537,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "gleamingsand","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\oddfan","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Network","Description": "part caravan army tolerance pack company ability sedge old age severalcalm","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/abundantgroup?_cid=xxxxxxx","FileName": "whoseperson","FilePath": "Freudianluxuty\\whoseperson","FilesAccessed": [{"FileName": "whoseperson","FilePath": "Freudianluxuty\\whoseperson","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "whoseperson","FilePath": "Freudianluxuty\\whoseperson","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\therepleasure","GrandParentImageFileName": "itshost","GrandParentImageFilePath": "Lincolnianweek\\itshost","HostGroups": "frailfiction","Hostname": "fewbus","LocalIP": "172.147.46.0","LocalIPv6": "208.212.56.34","LogonDomain": "mostwisp","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "Swissgirl","Name": "everybodyboard","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1592208001,"ConnectionDirection": 1,"IsIPV6": false,"LocalAddress": "251.127.72.126","LocalPort": 58478,"Protocol": "somebodytribe","RemoteAddress": "5.196.7.95","RemotePort": 82239}],"Objective": "Monacanlibrary","ParentCommandLine": "C:\\Windows\\hugegirl\\allbasket","ParentImageFileName": "allbasket","ParentImageFilePath": "itchyrice\\allbasket","ParentProcessId": 722547488,"PatternDispositionDescription": "aircraft deceit fact calm buckles leap goodness furniture caravan ring comb uncle bread ambulance poverty reel band troop magic Polishmobile","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": false,"KillActionFailed": true,"KillParent": false,"KillProcess": true,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": -589606010,"PatternId": -722944973,"PlatformId": "severalpoint","PlatformName": "Linux","ProcessEndTime": 497769204,"ProcessId": -1552453208,"ProcessStartTime": 7696833,"ReferrerUrl": "thispower","SHA1String": "Turkishishworld","SHA256String": "whyproblem","Severity": 23,"SeverityName": "Low","SourceProducts": "lighthomework","SourceVendors": "colorfulharm","Tactic": "Einsteiniandog","Technique": "itscaravan","Type": "ldt","UserName": "thiscrowd"}} +{"metadata": {"customerIDString": "thisimagination","offset": 1205396908,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "mysheaf","PolicyId": 1552025764,"PolicyStatement": "muchpack","CloudProvider": "nonecloud","CloudService": "Sammarineseinnocence","Severity": 45,"SeverityName": "Critical","EventAction": "someonepair","EventSource": "howstress","EventCreatedTimestamp": 1663011160,"UserId": "thislife","UserName": "strangeforest","UserSourceIp": "51.238.47.148","Tactic": "over therebermudas","Technique": "hundredbrilliance"}} +{"metadata": {"customerIDString": "everybodymotivation","offset": -1552411789,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -755853846,"ProcessEndTime": -626017870,"ProcessId": 171306624,"ParentProcessId": -1605361574,"ComputerName": "insufficientassistance","UserName": "mostleap","DetectName": "hisgoal","DetectDescription": "line mob student pigeon host train station church Viennesebrother","Severity": 3,"SeverityName": "Medium","FileName": "heavilyoutfit","FilePath": "Victoriancrowd\\heavilyoutfit","CommandLine": "C:\\Windows\\sparsestand","SHA256String": "manyheels","MD5String": "frailfuel","SHA1String": "severalfurniture","MachineDomain": "thisbale","NetworkAccesses": [{"AccessType": 1905863405,"AccessTimestamp": 1751371565,"Protocol": "so fewpack","LocalAddress": "252.187.76.200","LocalPort": 54719,"RemoteAddress": "105.117.210.70","RemotePort": 15495,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Honduranway?_cid=xxxxxxx","SensorId": "significantdivorce","IOCType": "hash_sha256","IOCValue": "thereliter","DetectId": "enoughschool","LocalIP": "12.122.235.99","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "whichwalk","Technique": "ourfact","Objective": "modernalbum","PatternDispositionDescription": "scissors anthology generosity tribe hospitality crew garlic yoga case money day fun ship weight book wisp problem pair solitude electricity point collection anyalbum","PatternDispositionValue": 519124999,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": false,"SensorOnly": false,"Rooting": true,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": true,"RegistryOperationBlocked": false,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "itstunnel","ParentCommandLine": "thosethought","GrandparentImageFileName": "Germanheat","GrandparentCommandLine": "whichparty","HostGroups": "whypoint","AssociatedFile": "hiscollection","PatternId": -515938901}} +{"metadata": {"customerIDString": "whoseweek","offset": 424382754,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "everyonespeed","HostnameField": "South Americanboard","UserName": "Dutchfrailty","StartTimestamp": 1582830734,"AgentIdString": "iteye"}} +{"metadata": {"customerIDString": "quaintchoir","offset": -1820628241,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "howhail","CustomerId": "happystand","Ipv": "254.224.46.224","CommandLine": "puzzledpatrol","ConnectionDirection": "1","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": true,"Monitor": false},"HostName": "Atlanticforest","ICMPCode": "so fewmurder","ICMPType": "hereday","ImageFileName": "clumsyverb","LocalAddress": "165.34.247.0","LocalPort": "84018","MatchCount": -1132244125,"MatchCountSinceLastReport": 154807215,"NetworkProfile": "Uzbekcatalog","PID": "-1139455255","PolicyName": "Intelligentday","PolicyID": "couplegrowth","Protocol": "Barceloniantrain","RemoteAddress": "49.11.66.131","RemotePort": "41076","RuleAction": "hundredstrip","RuleDescription": "scold hedge team horror album week hat generation exaltation person class number sofa posse damage work staff hour herregiment","RuleFamilyID": "alltent","RuleGroupName": "anyoneflock","RuleName": "herrespect","RuleId": "agreeablehospitality","Status": "Turkishishregiment","Timestamp": 1751371830,"TreeID": "fewband"}} +{"metadata": {"customerIDString": "terriblecaravan","offset": -1505513889,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "proudanger","DetectName": "Cormoranyouth","DetectDescription": "remote troop genetics exaltation leap patrol shower pig cashier party dishonesty answer horde flock wisp snow pod life dynasty tent therething","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thispleasure?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 30,"SeverityName": "Informational","Tactic": "thosedynasty","Technique": "muddyfox","Objective": "ourfrock","SourceAccountDomain": "brighttribe","SourceAccountName": "magnificentchapter","SourceAccountObjectSid": "glamorousgun","SourceEndpointAccountObjectGuid": "Vietnamesesnow","SourceEndpointAccountObjectSid": "ourpower","SourceEndpointHostName": "thosetribe","SourceEndpointIpAddress": "246.74.61.78","SourceEndpointSensorId": "howestate","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "enoughlibrary","PatternId": 2080395392}} +{"metadata": {"customerIDString": "thisbridge","offset": 1773201448,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -654603925,"ProcessEndTime": 806141523,"ProcessId": 90753918,"ParentProcessId": -208198328,"ComputerName": "anyonetime","UserName": "enchantedarchipelago","DetectName": "theirworld","DetectDescription": "troop body loneliness ocean Elizabethanchoir","Severity": 2,"SeverityName": "Critical","FileName": "whyhost","FilePath": "Greekway\\whyhost","CommandLine": "C:\\Windows\\numerouschild","SHA256String": "Turkishcrew","MD5String": "anyonegovernment","SHA1String": "everybodyhorror","MachineDomain": "helpfultribe","NetworkAccesses": [{"AccessType": 1351333491,"AccessTimestamp": 1751371565,"Protocol": "hugestack","LocalAddress": "37.78.174.100","LocalPort": 35323,"RemoteAddress": "44.39.157.244","RemotePort": 67092,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hisapp?_cid=xxxxxxx","SensorId": "somebodystring","IOCType": "hash_md5","IOCValue": "whybunch","DetectId": "younganthology","LocalIP": "51.165.98.148","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "over therecovey","Technique": "fewchest","Objective": "somelist","PatternDispositionDescription": "happiness cashier group mercy slavery child line litter engine outfit flock fact stack article cluster scold koala theirplant","PatternDispositionValue": -1012384039,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": false,"SensorOnly": false,"Rooting": false,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "herteam","ParentCommandLine": "somemanagement","GrandparentImageFileName": "theirpart","GrandparentCommandLine": "enough ofbale","HostGroups": "Antarcticresearch","AssociatedFile": "Costa Ricanpleasure","PatternId": -551524066}} +{"metadata": {"customerIDString": "allbasket","offset": -450081615,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "severalday","IncidentDescription": "mob bale way ball evidence number turkey fact orchard wad hand work company hand choir board clarity chicken trust dynasty scold day ourgirl","Severity": 73,"SeverityName": "Critical","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Guyaneseman","UserName": "fullcrime","EndpointName": "sparsesnow","EndpointIp": "103.97.45.179","Category": "Incidents","NumbersOfAlerts": -1125518693,"NumberOfCompromisedEntities": 257866486,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thatchoir?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "nonelips","offset": 2031442298,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "doublemilk","PolicyId": -801807829,"PolicyStatement": "herwindow","CloudProvider": "sometour","CloudService": "somebodywoman","Severity": 65,"SeverityName": "Medium","EventAction": "Alaskanfriendship","EventSource": "allyear","EventCreatedTimestamp": 1663011160,"UserId": "itwound","UserName": "theseforest","UserSourceIp": "229.204.115.90","Tactic": "allbulb","Technique": "thosebutter"}} +{"metadata": {"customerIDString": "Slovakpopcorn","offset": 2008556161,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Guyanesefood","UserIp": "193.5.12.148","OperationName": "revokeUserRoles","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "Spanishchaos","ValueString": "whichperson"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "obedienthand"}}} +{"metadata": {"customerIDString": "heavyreligion","offset": -767789731,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "frailstand","DetectName": "herbody","DetectDescription": "troop year pack part bottle disturbedclass","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/somebodyday?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 50,"SeverityName": "High","Tactic": "nobodysleep","Technique": "nobodycrowd","Objective": "yourpod","SourceAccountDomain": "itbear","SourceAccountName": "howobesity","SourceAccountObjectSid": "openpod","SourceEndpointAccountObjectGuid": "oneentertainment","SourceEndpointAccountObjectSid": "whypoverty","SourceEndpointHostName": "Portuguesequiver","SourceEndpointIpAddress": "207.20.215.32","SourceEndpointSensorId": "theseclass","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "mylove","PatternId": 305454461}} +{"metadata": {"customerIDString": "Rooseveltianentertainment","offset": 1973970316,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -2144511772,"ProcessEndTime": -1487880295,"ProcessId": -1646375989,"ParentProcessId": 481588581,"ComputerName": "Jungiancard","UserName": "howorchard","DetectName": "itsoap","DetectDescription": "clock irritation covey artist brilliance care flower posse mob toothpaste host thing obesity everythingcloud","Severity": 5,"SeverityName": "Informational","FileName": "anyoneadvantage","FilePath": "tensefrailty\\anyoneadvantage","CommandLine": "C:\\Windows\\hundredsgeneration","SHA256String": "illgenetics","MD5String": "severalfoot","SHA1String": "Einsteiniangrandfather","MachineDomain": "eitherjoy","NetworkAccesses": [{"AccessType": 2089089608,"AccessTimestamp": 1751371565,"Protocol": "nonecatalog","LocalAddress": "162.252.153.169","LocalPort": 78477,"RemoteAddress": "61.250.227.115","RemotePort": 54375,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/shinystand?_cid=xxxxxxx","SensorId": "thosearmy","IOCType": "hash_md5","IOCValue": "whypencil","DetectId": "itmurder","LocalIP": "12.43.172.16","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "Alpinepain","Technique": "hugepart","Objective": "whosepermission","PatternDispositionDescription": "set crowd coffee party Romanpair","PatternDispositionValue": -370145664,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": true,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "whatcase","ParentCommandLine": "thatcase","GrandparentImageFileName": "Muscovitepound","GrandparentCommandLine": "hisbale","HostGroups": "yourweather","AssociatedFile": "sometroop","PatternId": -229596095}} +{"metadata": {"customerIDString": "Intelligenthorror","offset": 1871139807,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "gracefulgroup","UserIp": "117.153.142.95","OperationName": "revokeUserRoles","ServiceName": "detections","AuditKeyValues": [{"Key": "howband","ValueString": "hertroop"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "stormygoal"}}} +{"metadata": {"customerIDString": "Thaiclarity","offset": 1143437964,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "significantwood","IncidentDescription": "Ecuadorianbridge","Severity": 99,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "thisclarity","UserName": "nonewood","EndpointName": "heavilyfashion","EndpointIp": "106.221.161.64","Category": "Incidents","NumbersOfAlerts": 1797537844,"NumberOfCompromisedEntities": 52172658,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/allplant?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "severalwater melon","offset": 589671984,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whatbrother","PolicyId": 485901958,"PolicyStatement": "thoseluxuty","CloudProvider": "Polynesiansister","CloudService": "eachstaff","Severity": 62,"SeverityName": "Informational","EventAction": "whybundle","EventSource": "doubleboard","EventCreatedTimestamp": 1663011160,"UserId": "couplehost","UserName": "severalgauva","UserSourceIp": "82.149.128.222","Tactic": "eachwork","Technique": "noneplace"}} +{"metadata": {"customerIDString": "whosehappiness","offset": 819306999,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "whichgarden","MobileDetectionId": -556086742,"ComputerName": "Himalayanmagic","UserName": "annoyingteam","ContextTimeStamp": 1649061056,"DetectId": "itsear","DetectName": "itsunshine","DetectDescription": "disregard patrol safety muster childhood group country scold brass housework person key packet itchygroup","Tactic": "whatstreet","TacticId": "sparsefarm","Technique": "Hinducase","TechniqueId": "someoneriches","Objective": "itsedge","Severity": 82,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anylife?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "Lilliputianream","AndroidAppLabel": "theirbill","DexFileHashes": "longsmile","ImageFileName": "whycackle","AppInstallerInformation": "yourparty","IsBeingDebugged": false,"AndroidAppVersionName": "hungryluck","IsContainerized": true}]}} +{"metadata": {"customerIDString": "therefilm","offset": 2055136783,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "anythingream","UserIp": "104.7.82.31","OperationName": "revokeUserRoles","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "richsleep","ValueString": "everyonecovey"}],"Attributes": {"actor_cid": "itsgoat","actor_user": "thatkilometer","actor_user_uuid": "hertowel","app_id": "ashamedman","saml_assertion": "whygoal","target_user": "wherechild","trace_id": "thesegeneration"}}} +{"metadata": {"customerIDString": "Thaiquiver","offset": -847821443,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "anyonechaos","IncidentDescription": "bowl body orange life hedge team horde field host tribe man peace fleet content congregation howstand","Severity": 76,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "itmuster","UserName": "whatback","EndpointName": "herlamb","EndpointIp": "191.184.250.52","Category": "Incidents","NumbersOfAlerts": -1357136370,"NumberOfCompromisedEntities": -80994199,"State": "RESOLVED","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/halfenthusiasm?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "oddinnocence","offset": 1969968356,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "enthusiasticostrich","Region": "us-west-2","ResourceId": "over theretroop","ResourceIdType": "manyfreezer","ResourceName": "couplenest","ResourceCreateTime": 0,"PolicyStatement": "whoseriver","PolicyId": 254177986,"Severity": 61,"SeverityName": "Informational","CloudPlatform": "whereharvest","CloudService": "manyunderwear","Disposition": "Failed","ResourceUrl": "successfuledge","Finding": "itwater","Tags": [{"Key": "itscackle","ValueString": "heavilyalbum"}],"ReportUrl": "frighteningday","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "anyclarity","offset": 1542644173,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "lonelycackle","UserIp": "231.215.192.184","OperationName": "requestResetPassword","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "ourapartment","ValueString": "thatgovernment"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "lonelyshower"}}} +{"metadata": {"customerIDString": "fullharvest","offset": -1992332871,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "Peruvianharvest","UserID": "everybodylove","ExecutionID": "thosetroupe","ReportID": "someonesmoke","ReportName": "relievedalbum","ReportType": "everycrime","ReportFileReference": "theirscale","Status": "orangecorruption","StatusMessage": "somewisp","ExecutionMetadata": {"ExecutionStart": -1612417320,"ExecutionDuration": 1964116284,"ReportFileName": "everyonedetermination","ResultCount": 1825181464,"ResultID": "gorgeoushospital","SearchWindowStart": -1637571655,"SearchWindowEnd": 2020347431}}} +{"metadata": {"customerIDString": "itsgroup","offset": -775610352,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "whichhatred","DetectName": "hundredsmirror","DetectDescription": "valley body horror thing host town ream wisp packet housework itscrew","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whichhorde?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 69,"SeverityName": "Medium","Tactic": "severalcash","Technique": "whatgroup","Objective": "Einsteiniancamp","SourceAccountDomain": "Uzbekexaltation","SourceAccountName": "allhost","SourceAccountObjectSid": "moststring","SourceEndpointAccountObjectGuid": "thatnest","SourceEndpointAccountObjectSid": "hereline","SourceEndpointHostName": "thisfame","SourceEndpointIpAddress": "30.172.35.246","SourceEndpointSensorId": "singlechild","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "lonelyprogress","PatternId": -1953673804}} +{"metadata": {"customerIDString": "lovelyarmy","offset": -574161724,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "numerousblock","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\Putinistcravat","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Web","Description": "album Alaskanfear","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/iteye?_cid=xxxxxxx","FileName": "whatliterature","FilePath": "brightchild\\whatliterature","FilesAccessed": [{"FileName": "whatliterature","FilePath": "brightchild\\whatliterature","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "whatliterature","FilePath": "brightchild\\whatliterature","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\over thereeye","GrandParentImageFileName": "myalligator","GrandParentImageFilePath": "thosesheaf\\myalligator","HostGroups": "motionlesscatalog","Hostname": "awfulhammer","LocalIP": "187.226.154.173","LocalIPv6": "239.12.226.54","LogonDomain": "whosebook","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "everyonecongregation","Name": "Sudanesehost","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1291417288,"ConnectionDirection": 1,"IsIPV6": true,"LocalAddress": "132.51.80.34","LocalPort": 4492,"Protocol": "theirschool","RemoteAddress": "75.28.97.204","RemotePort": 69362}],"Objective": "outstandingpack","ParentCommandLine": "C:\\Windows\\Dutchwork\\lots ofharvest","ParentImageFileName": "lots ofharvest","ParentImageFilePath": "theirfather\\lots ofharvest","ParentProcessId": 611469371,"PatternDispositionDescription": "troupe heels world dog hand fiction year team work milk tree week troupe horde pod cluster cheese solitude journey Somalitrip","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": true,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": true,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": -527035831,"PatternId": 1573621037,"PlatformId": "dizzyingblack","PlatformName": "Windows","ProcessEndTime": 1750061039,"ProcessId": 546411519,"ProcessStartTime": 583658379,"ReferrerUrl": "grumpygroup","SHA1String": "thosehouse","SHA256String": "Intelligentproblem","Severity": 48,"SeverityName": "High","SourceProducts": "howharm","SourceVendors": "Afghancovey","Tactic": "ourset","Technique": "South Americanintelligence","Type": "ofp","UserName": "everybodywindow"}} +{"metadata": {"customerIDString": "thosestress","offset": 1574386475,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "thatsinger","CustomerId": "lightwork","Ipv": "25.148.27.85","CommandLine": "couplesedge","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": true,"Monitor": false},"HostName": "ourtribe","ICMPCode": "itphysician","ICMPType": "hisunion","ImageFileName": "thoseparty","LocalAddress": "194.17.104.9","LocalPort": "80040","MatchCount": 1748116640,"MatchCountSinceLastReport": -121494764,"NetworkProfile": "anythingexaltation","PID": "-1538695975","PolicyName": "Somalimob","PolicyID": "somebrass","Protocol": "Orwellianshower","RemoteAddress": "117.125.216.245","RemotePort": "37707","RuleAction": "severaltribe","RuleDescription": "sedge forest batch body week bale quiver thrill troop yourwoman","RuleFamilyID": "whosebundle","RuleGroupName": "Himalayanomen","RuleName": "thatream","RuleId": "theirtissue","Status": "whatday","Timestamp": 1751371830,"TreeID": "Congoleseold age"}} +{"metadata": {"customerIDString": "thatway","offset": -1442844535,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "whatband","UserIp": "182.7.86.28","OperationName": "activateUser","ServiceName": "detections","AuditKeyValues": [{"Key": "mostline","ValueString": "Barcelonianbatch"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "Sudaneseowl"}}} +{"metadata": {"customerIDString": "fewpart","offset": -1669561139,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "thisfarm","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\yourbale","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "trade catalog bundle money phone problem dynasty school muster excitingbrass","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whichluxuty?_cid=xxxxxxx","FileName": "Elizabethanclass","FilePath": "helplesschoir\\Elizabethanclass","FilesAccessed": [{"FileName": "Elizabethanclass","FilePath": "helplesschoir\\Elizabethanclass","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "Elizabethanclass","FilePath": "helplesschoir\\Elizabethanclass","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\thosecast","GrandParentImageFileName": "over therenutrition","GrandParentImageFilePath": "blushingnumber\\over therenutrition","HostGroups": "heranthology","Hostname": "substantialhand","LocalIP": "196.29.220.96","LocalIPv6": "134.230.245.53","LogonDomain": "whatrange","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "whatman","Name": "uptightgossip","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 56811732,"ConnectionDirection": 2,"IsIPV6": true,"LocalAddress": "106.152.237.108","LocalPort": 29498,"Protocol": "a littlemurder","RemoteAddress": "177.32.57.38","RemotePort": 15924}],"Objective": "theirtrip","ParentCommandLine": "C:\\Windows\\eachjudge\\noneapple","ParentImageFileName": "noneapple","ParentImageFilePath": "theirguilt\\noneapple","ParentProcessId": 2101150528,"PatternDispositionDescription": "bale app crowd number transportation Gaussianirritation","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": true,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"InddetMask": true,"Indicator": true,"KillActionFailed": false,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": false,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": 1347352988,"PatternId": -481825112,"PlatformId": "manypunctuation","PlatformName": "Linux","ProcessEndTime": 1004644986,"ProcessId": 312838698,"ProcessStartTime": 1716459440,"ReferrerUrl": "manybravery","SHA1String": "Caesarianschool","SHA256String": "someengine","Severity": 29,"SeverityName": "High","SourceProducts": "ourflag","SourceVendors": "Belgianposse","Tactic": "therebravery","Technique": "wherehost","Type": "ofp","UserName": "whereproduction"}} +{"metadata": {"customerIDString": "fewbattery","offset": 819730980,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "anythingforest","DataDomains": "Web","Description": "company hour company designer battery year understanding bundle shark fun clarity tie love village stupidity year kubanrange","DetectId": "magnificenteffect","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "45.7.49.102","HostNames": "ourlove","Name": "whymob","PatternId": -1898961298,"Severity": 52,"SourceProducts": "Germanpanda","SourceVendors": "wholehatred","StartTimeEpoch": 1643317697728000000,"TacticIds": "severaltroop","Tactics": "itscrowd","TechniqueIds": "everybodygroup","Techniques": "blueslavery","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "so fewfailure","offset": -604173097,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "thatpunctuation","DataDomains": "Email","Description": "bunch year patrol sheaf harvest school ithorror","DetectId": "Intelligentphilosophy","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "99.40.140.74","HostNames": "herecap","Name": "thatwood","PatternId": 1396940807,"Severity": 8,"SourceProducts": "manyirritation","SourceVendors": "crowdeddream","StartTimeEpoch": 1643317697728000000,"TacticIds": "embarrassedbunch","Tactics": "insufficientroom (space)","TechniqueIds": "whichboxers","Techniques": "hugeparty","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "howlife","offset": -1823057691,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "thisgroup","DataDomains": "Cloud","Description": "knowledge brilliance equipment group movement fiction collection hedge fame problem patrol part information greatcovey","DetectId": "Machiavellianchild","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "229.246.233.111","HostNames": "Peruviantroop","Name": "Bangladeshiloss","PatternId": 644905388,"Severity": 39,"SourceProducts": "manychild","SourceVendors": "whycrowd","StartTimeEpoch": 1643317697728000000,"TacticIds": "hiscomposer","Tactics": "Americanforest","TechniqueIds": "Caesarianeye","Techniques": "anyonechapter","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "substantialfriend","offset": -1396362317,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "yourcackle","CustomerId": "thesecrew","Ipv": "193.229.19.220","CommandLine": "whattrip","ConnectionDirection": "1","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": false},"HostName": "itsbatch","ICMPCode": "severalanger","ICMPType": "Asiancast","ImageFileName": "amusedexaltation","LocalAddress": "253.184.132.24","LocalPort": "24050","MatchCount": 1975078664,"MatchCountSinceLastReport": -1310409146,"NetworkProfile": "hiswisp","PID": "-1403334497","PolicyName": "theirpoint","PolicyID": "whichclub","Protocol": "adventurousoutfit","RemoteAddress": "23.170.44.218","RemotePort": "19410","RuleAction": "somebodycrew","RuleDescription": "group failure book youth cash line host bunch class army group fame thereregiment","RuleFamilyID": "over theregovernment","RuleGroupName": "Middle Easternwoman","RuleName": "yourpack","RuleId": "howtroop","Status": "yellowcompany","Timestamp": 1751371830,"TreeID": "emptyaccident"}} +{"metadata": {"customerIDString": "hisheels","offset": 828966465,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "anycase","UserID": "itscackle","ExecutionID": "cutenest","ReportID": "therepronunciation","ReportName": "pleasantbrace","ReportType": "modernbravery","ReportFileReference": "Uzbektolerance","Status": "queerdivorce","StatusMessage": "whydivorce","ExecutionMetadata": {"ExecutionStart": -984913931,"ExecutionDuration": 474863803,"ReportFileName": "adorablemurder","ResultCount": -547953070,"ResultID": "whatjustice","SearchWindowStart": 508813606,"SearchWindowEnd": 1635296210}}} +{"metadata": {"customerIDString": "myexaltation","offset": -523684874,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Gaussianhand","Region": "us-west-2","ResourceId": "Muscovitenumber","ResourceIdType": "whoseyear","ResourceName": "singletrip","ResourceCreateTime": 0,"PolicyStatement": "wherehost","PolicyId": -826618089,"Severity": 43,"SeverityName": "Low","CloudPlatform": "everybodygroup","CloudService": "hisball","Disposition": "Failed","ResourceUrl": "mostcar","Finding": "significantforest","Tags": [{"Key": "whereclothing","ValueString": "everythingdynasty"}],"ReportUrl": "hilariousquiver","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "sufficientslavery","offset": 1957375133,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -829582961,"ProcessEndTime": 169087412,"ProcessId": 1895039937,"ParentProcessId": 1219099601,"ComputerName": "itanger","UserName": "theirloss","DetectName": "anyoneday","DetectDescription": "honesty artist band clarity pack cheese patrol way intelligence bravery outfit clarity heart understanding college zebra moonlight brilliance heap government government neitherneck","Severity": 3,"SeverityName": "High","FileName": "over therethrill","FilePath": "Christianbrother\\over therethrill","CommandLine": "C:\\Windows\\South Americanroad","SHA256String": "wherecandy","MD5String": "itbale","SHA1String": "Portuguesenest","MachineDomain": "itcompany","NetworkAccesses": [{"AccessType": 1284562200,"AccessTimestamp": 1751371565,"Protocol": "whichmuster","LocalAddress": "120.27.112.218","LocalPort": 42593,"RemoteAddress": "232.133.168.219","RemotePort": 49601,"ConnectionDirection": 0,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/manyforest?_cid=xxxxxxx","SensorId": "nicereel","IOCType": "domain","IOCValue": "noneteam","DetectId": "ourpart","LocalIP": "169.121.153.163","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "Mayanstaff","Technique": "thesemuster","Objective": "eachuncle","PatternDispositionDescription": "knife caravan metal union brother bouquet leap wisp success news butter chest imagination progress thatnest","PatternDispositionValue": -125722399,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": false,"Rooting": false,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": false,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "therebill","ParentCommandLine": "allcompany","GrandparentImageFileName": "Lincolniangang","GrandparentCommandLine": "hisbook","HostGroups": "onetrip","AssociatedFile": "hugestring","PatternId": 1708361399}} +{"metadata": {"customerIDString": "lightfriendship","offset": -669721107,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -741948395,"ProcessEndTime": 1186464878,"ProcessId": 1909058510,"ParentProcessId": -176291732,"ComputerName": "Pacificcoat","UserName": "oneleap","DetectName": "whyclass","DetectDescription": "problem class sofa employment meal basket job nest bag shampoo Romanright","Severity": 1,"SeverityName": "High","FileName": "hereability","FilePath": "whysoup\\hereability","CommandLine": "C:\\Windows\\doublestupidity","SHA256String": "lemonylion","MD5String": "Atlanteancrime","SHA1String": "Danishpigeon","MachineDomain": "itchoir","NetworkAccesses": [{"AccessType": 401823050,"AccessTimestamp": 1751371565,"Protocol": "hereliter","LocalAddress": "36.221.48.16","LocalPort": 43955,"RemoteAddress": "214.89.208.238","RemotePort": 45737,"ConnectionDirection": 2,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whoserhythm?_cid=xxxxxxx","SensorId": "hisbook","IOCType": "filename","IOCValue": "Romanhousework","DetectId": "whatposse","LocalIP": "11.21.72.228","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "herehorde","Technique": "a littleday","Objective": "motionlesscollection","PatternDispositionDescription": "pack bevy nutrition train yourcomposer","PatternDispositionValue": 1210360208,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": false,"SensorOnly": false,"Rooting": false,"KillProcess": false,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "therebrace","ParentCommandLine": "exuberantpod","GrandparentImageFileName": "whypatience","GrandparentCommandLine": "anythingthrill","HostGroups": "fewclass","AssociatedFile": "numerousphilosophy","PatternId": -1461953580}} +{"metadata": {"customerIDString": "hissandals","offset": 1681604328,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "someonedisregard","HostnameField": "whatgalaxy","UserName": "halfexaltation","StartTimestamp": 1582830734,"AgentIdString": "proudhost"}} +{"metadata": {"customerIDString": "hernest","offset": 1023013310,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "whitebasket","Highlights": ["therescold"],"MatchedTimestamp": 1686889114000,"RuleId": "Machiavellianpart","RuleName": "eitherpigeon","RuleTopic": "heregovernment","RulePriority": "Torontoniantrend","ItemId": "nobodycatalog","ItemType": "SCRAPPY","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "spottedcompany","offset": -253215512,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "whatlighter","UserIp": "72.197.193.234","OperationName": "grantCustomerSubscriptions","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "therehand","ValueString": "anxioustrip"}],"Attributes": {"actor_cid": "anydress","actor_user": "whosescold","actor_user_uuid": "somehat","app_id": "somebodyirritation","saml_assertion": "littlecare","target_user": "smoggydog","trace_id": "mycollege"}}} +{"metadata": {"customerIDString": "thereflag","offset": 41922970,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "over therelibrary","UserIp": "35.158.67.121","OperationName": "resetAuthSecret","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Ecuadoriandishonesty","ValueString": "Malagasysedge"}],"Attributes": {"actor_cid": "couplearmy","actor_user": "hundredmuseum","actor_user_uuid": "herechapter","app_id": "doublemob","saml_assertion": "herebill","target_user": "Senegaleseanswer","trace_id": "scenicdisregard"}}} +{"metadata": {"customerIDString": "itteam","offset": 1236731672,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "Putinistpark","Highlights": ["thatliterature"],"MatchedTimestamp": 1686889114000,"RuleId": "yourscold","RuleName": "repulsivefield","RuleTopic": "thatship","RulePriority": "thosenecklace","ItemId": "thatrange","ItemType": "BREACH_6G","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "whattime","offset": -1148611913,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "Sudanesecare","DetectName": "thisappetite","DetectDescription": "number chair work team logic silence bread buckles orchard comfort troop school bunch horde scheme vehicle caravan part mercy thosefilm","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/friendlycast?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 94,"SeverityName": "Critical","Tactic": "knightlyscold","Technique": "Dutchcoffee","Objective": "nervoussand","SourceAccountDomain": "sufficientgeneration","SourceAccountName": "thisline","SourceAccountObjectSid": "anyoneestate","SourceEndpointAccountObjectGuid": "Mayantribe","SourceEndpointAccountObjectSid": "whyharvest","SourceEndpointHostName": "doublecash","SourceEndpointIpAddress": "240.193.149.84","SourceEndpointSensorId": "Afghanschool","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whatstaff","PatternId": 1271181227}} +{"metadata": {"customerIDString": "Egyptiancompany","offset": -274490636,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "nobodygame","UserID": "Kazakhapp","ExecutionID": "panickeddynasty","ReportID": "anycluster","ReportName": "theseaircraft","ReportType": "Finnishyear","ReportFileReference": "Egyptianwealth","Status": "thesepod","StatusMessage": "thathand","ExecutionMetadata": {"ExecutionStart": -1030429283,"ExecutionDuration": 1600686231,"ReportFileName": "itscrew","ResultCount": -74496630,"ResultID": "Swazifame","SearchWindowStart": 1230543628,"SearchWindowEnd": 267852438}}} +{"metadata": {"customerIDString": "onepunctuation","offset": 1527408402,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "Machiavelliancrew","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\jitterymob","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "nest model posse mustering congregation art justice mustering crowd mirror choir heap popcorn hatred life kitchen growth bird husband cashier bale Indianstand","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whosegossip?_cid=xxxxxxx","FileName": "itspigeon","FilePath": "Vietnameseworld\\itspigeon","FilesAccessed": [{"FileName": "itspigeon","FilePath": "Vietnameseworld\\itspigeon","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "itspigeon","FilePath": "Vietnameseworld\\itspigeon","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\ourpod","GrandParentImageFileName": "Italianalbum","GrandParentImageFilePath": "thoseroad\\Italianalbum","HostGroups": "Africantrip","Hostname": "abundanttelevision","LocalIP": "190.228.206.91","LocalIPv6": "214.123.123.77","LogonDomain": "heremob","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "nuttystaff","Name": "itearrings","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -2066319981,"ConnectionDirection": 1,"IsIPV6": true,"LocalAddress": "128.207.85.90","LocalPort": 24101,"Protocol": "everybodycaravan","RemoteAddress": "152.127.132.123","RemotePort": 72923}],"Objective": "whatpharmacist","ParentCommandLine": "C:\\Windows\\hundredslist\\somebodypack","ParentImageFileName": "somebodypack","ParentImageFilePath": "thosecomputer\\somebodypack","ParentProcessId": 2014137232,"PatternDispositionDescription": "problem troop band whosemob","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": true,"KillActionFailed": false,"KillParent": true,"KillProcess": false,"KillSubProcess": false,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": false,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": 355869786,"PatternId": -125593628,"PlatformId": "superfact","PlatformName": "Mac","ProcessEndTime": 324662446,"ProcessId": 22868941,"ProcessStartTime": 1177857078,"ReferrerUrl": "itfactory","SHA1String": "wherehappiness","SHA256String": "Turkishcrowd","Severity": 1,"SeverityName": "Informational","SourceProducts": "whosepatrol","SourceVendors": "Gaussianbush","Tactic": "Bangladeshifinger","Technique": "Lebaneseissue","Type": "ofp","UserName": "frailcup"}} +{"metadata": {"customerIDString": "enviousplace","offset": 1922237950,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "thoseapartment","Highlights": ["insufficientbale"],"MatchedTimestamp": 1686889114000,"RuleId": "fewentertainment","RuleName": "emptyhand","RuleTopic": "uptightphilosophy","RulePriority": "allplant","ItemId": "greatcollection","ItemType": "LEGACY_TI","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "ourway","offset": 725667662,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "manybrace","State": "open","FineScore": 4.6245755575309575,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "wherecastle","HostID": "lazyhail","LMHostIDs": ["over therebevy"],"UserId": "fancybevy"}} +{"metadata": {"customerIDString": "itsexaltation","offset": 647985529,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "nonedata","UserIp": "100.55.7.214","OperationName": "requestResetPassword","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "severalmotivation","ValueString": "goodhost"}],"Attributes": {"actor_cid": "itsbutter","actor_user": "Bismarckianconditioner","actor_user_uuid": "Hondurantrip","app_id": "thereloneliness","saml_assertion": "thishatred","target_user": "thesehand","trace_id": "itworld"}}} +{"metadata": {"customerIDString": "eachjumper","offset": 1609562650,"eventType": "ReconNotificationSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"NotificationId": "modernmuster","Highlights": ["severalpain"],"MatchedTimestamp": 1686889114000,"RuleId": "fancytruck","RuleName": "muchman","RuleTopic": "Lincolnianbutter","RulePriority": "yourregiment","ItemId": "heavycovey","ItemType": "LEGACY_TI","ItemPostedTimestamp": 1686889114000}} +{"metadata": {"customerIDString": "whichpicture","offset": 237389943,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "whygroup","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\nomuster","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "week bouquet rainbow woman class quiver bevy sofa successfullady","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whyheap?_cid=xxxxxxx","FileName": "howbus stop","FilePath": "whybrilliance\\howbus stop","FilesAccessed": [{"FileName": "howbus stop","FilePath": "whybrilliance\\howbus stop","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "howbus stop","FilePath": "whybrilliance\\howbus stop","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\oneorchard","GrandParentImageFileName": "whereweek","GrandParentImageFilePath": "whyfleet\\whereweek","HostGroups": "yourwatch","Hostname": "eachstack","LocalIP": "117.25.223.118","LocalIPv6": "177.163.164.194","LogonDomain": "itdrum","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "nonetree","Name": "mybill","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1785054354,"ConnectionDirection": 1,"IsIPV6": true,"LocalAddress": "225.181.191.29","LocalPort": 16239,"Protocol": "mostgenerosity","RemoteAddress": "185.212.179.232","RemotePort": 1575}],"Objective": "Brazilianharvest","ParentCommandLine": "C:\\Windows\\everyonedynasty\\manyclass","ParentImageFileName": "manyclass","ParentImageFilePath": "eachnest\\manyclass","ParentProcessId": -566012898,"PatternDispositionDescription": "somearchipelago","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": false,"ContainmentFileSystem": true,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": true,"KillActionFailed": false,"KillParent": false,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": false},"PatternDispositionValue": -1029443668,"PatternId": 953167709,"PlatformId": "thispatience","PlatformName": "Windows","ProcessEndTime": -224812447,"ProcessId": 1387183238,"ProcessStartTime": 1997901822,"ReferrerUrl": "disturbedbundle","SHA1String": "elatedbatch","SHA256String": "herebevy","Severity": 53,"SeverityName": "Informational","SourceProducts": "whosereligion","SourceVendors": "whereperson","Tactic": "nobodyteam","Technique": "oddbook","Type": "ldt","UserName": "Portugueseplace"}} +{"metadata": {"customerIDString": "boredflock","offset": -1977260193,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "yourregiment","UserID": "Russianstaff","ExecutionID": "thesequiver","ReportID": "whereunion","ReportName": "whereflock","ReportType": "eachjustice","ReportFileReference": "nervousevidence","Status": "thisfriend","StatusMessage": "Monacanreligion","ExecutionMetadata": {"ExecutionStart": -735615861,"ExecutionDuration": 1262735787,"ReportFileName": "allwork","ResultCount": 566549832,"ResultID": "theirreligion","SearchWindowStart": 483200356,"SearchWindowEnd": 1376936238}}} +{"metadata": {"customerIDString": "whatyear","offset": -1646137857,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "wherelife","UserIp": "208.218.248.195","OperationName": "updateUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "allorchard","ValueString": "myoutfit"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "over therebrace"}}} +{"metadata": {"customerIDString": "Madagascanposse","offset": -1429198163,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "ourcookware","HostnameField": "everybodypolice station","UserName": "whichpod","StartTimestamp": 1582830734,"AgentIdString": "itcompany"}} +{"metadata": {"customerIDString": "singlelibrary","offset": 1142904564,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "impromptubird","UserID": "whosequality","ExecutionID": "nonenecklace","ReportID": "Icelandiccongregation","ReportName": "Beninesework","ReportType": "Swisslitter","ReportFileReference": "oneeye","Status": "itunderstanding","StatusMessage": "wherechaos","ExecutionMetadata": {"ExecutionStart": -1160129291,"ExecutionDuration": -1476704105,"ReportFileName": "thisrespect","ResultCount": 893086467,"ResultID": "heavilyaid","SearchWindowStart": -1434112497,"SearchWindowEnd": 1138221378}}} +{"metadata": {"customerIDString": "therestress","offset": -747047066,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "howpart","DetectName": "whydynasty","DetectDescription": "philosophy archipelago talent generosity cackle wad garlic way dynasty town darkness onion stand day garage catalog congregation chest horror fish island Vietnameseclump","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/a littleway?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 50,"SeverityName": "Low","Tactic": "therewad","Technique": "everybodyvision","Objective": "Rooseveltianwisdom","SourceAccountDomain": "whosenoodles","SourceAccountName": "a lotwarmth","SourceAccountObjectSid": "hugewisp","SourceEndpointAccountObjectGuid": "anyspeed","SourceEndpointAccountObjectSid": "whattroop","SourceEndpointHostName": "itsbunch","SourceEndpointIpAddress": "236.210.225.233","SourceEndpointSensorId": "Welshhorde","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "plenty ofparty","PatternId": 446696863}} +{"metadata": {"customerIDString": "itsteam","offset": -258427995,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 14301111,"ProcessEndTime": -1138702117,"ProcessId": -986625045,"ParentProcessId": 1209293922,"ComputerName": "eachsedge","UserName": "itsmustering","DetectName": "mostcomputer","DetectDescription": "way film orchard mistake outfit patrol choker cluster mob string beauty company cash thatpack","Severity": 5,"SeverityName": "Critical","FileName": "thatwealth","FilePath": "Cambodiancasino\\thatwealth","CommandLine": "C:\\Windows\\neitherlove","SHA256String": "sleepyspeed","MD5String": "lightcomputer","SHA1String": "mostgroup","MachineDomain": "itshatred","NetworkAccesses": [{"AccessType": -995848599,"AccessTimestamp": 1751371565,"Protocol": "openmob","LocalAddress": "184.220.154.107","LocalPort": 61513,"RemoteAddress": "25.180.92.136","RemotePort": 33068,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/everythingman?_cid=xxxxxxx","SensorId": "nonereligion","IOCType": "domain","IOCValue": "everytrip","DetectId": "fancycoffee","LocalIP": "79.196.128.30","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "thisexaltation","Technique": "itstissue","Objective": "fewskirt","PatternDispositionDescription": "cash sedge friendship shower trip baby poverty stream cast tribe humour pod chest coffee leisure insufficienttroop","PatternDispositionValue": -395118928,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": true,"Rooting": false,"KillProcess": false,"KillSubProcess": false,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": false},"ParentImageFileName": "Lebanesefleet","ParentCommandLine": "fewcorruption","GrandparentImageFileName": "insufficienttroupe","GrandparentCommandLine": "hisbrilliance","HostGroups": "puzzledcrowd","AssociatedFile": "nobodybatch","PatternId": 375479710}} +{"metadata": {"customerIDString": "wholeradio","offset": -1760607636,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "theirarmy","UserIp": "195.183.77.216","OperationName": "activateUser","ServiceName": "detections","AuditKeyValues": [{"Key": "theseconfusion","ValueString": "hundredsbrace"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "therefriendship"}}} +{"metadata": {"customerIDString": "whereregiment","offset": 472409017,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "lightbatch","MobileDetectionId": -1636211472,"ComputerName": "obedientfailure","UserName": "itsunion","ContextTimeStamp": 1649061056,"DetectId": "fewwhisker","DetectName": "hismother","DetectDescription": "juice armchair fleet muster cabin line toothpaste marriage group bowl crowd divorce work host lawyer somebodyteam","Tactic": "naughtyadvice","TacticId": "oddcompany","Technique": "Congolesehandle","TechniqueId": "whatwisdom","Objective": "thatstaff","Severity": 17,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Beninesefuel?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "hundredsgroup","AndroidAppLabel": "Thatcheritepunctuation","DexFileHashes": "itsburger","ImageFileName": "heregrandfather","AppInstallerInformation": "strangepatrol","IsBeingDebugged": true,"AndroidAppVersionName": "wherecluster","IsContainerized": false}]}} +{"metadata": {"customerIDString": "everybodycollege","offset": -714324598,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "elegantwork","CustomerId": "somebodyline","Ipv": "17.180.93.244","CommandLine": "herblock","ConnectionDirection": "1","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": true},"HostName": "theirfleet","ICMPCode": "Orwellianphilosophy","ICMPType": "Honduranday","ImageFileName": "whoseunion","LocalAddress": "184.184.189.171","LocalPort": "62050","MatchCount": 1880415740,"MatchCountSinceLastReport": -1197212413,"NetworkProfile": "theircatalog","PID": "-78565002","PolicyName": "vastbook","PolicyID": "hundredspack","Protocol": "Burmeseflock","RemoteAddress": "235.13.158.70","RemotePort": "73527","RuleAction": "crowdedtrip","RuleDescription": "fish line box man album list mob pen leap team house growth costume part pod woman team air friendlyballoon","RuleFamilyID": "nonemob","RuleGroupName": "neitherhomework","RuleName": "outrageoustiming","RuleId": "significantpatrol","Status": "nobread","Timestamp": 1751371830,"TreeID": "significantset"}} +{"metadata": {"customerIDString": "elatedpoint","offset": 257541694,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "mypaper","State": "closed","FineScore": 5.549588929587846,"LateralMovement": 0,"IncidentType": 1,"IncidentID": "howchest","HostID": "herejaw","LMHostIDs": ["nonejealousy"],"UserId": "Englishenthusiasm"}} +{"metadata": {"customerIDString": "someonetent","offset": 823978461,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thesehouse","UserIp": "219.241.32.203","OperationName": "deactivateUser","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "whoselabour","ValueString": "mostline"}],"Attributes": {"actor_cid": "someonehorde","actor_user": "mypoverty","actor_user_uuid": "whichemployment","app_id": "anythingcomb","saml_assertion": "tenderpair","target_user": "significantbattery","trace_id": "anybale"}}} +{"metadata": {"customerIDString": "lightlogic","offset": -116759513,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "lazywrist","MobileDetectionId": 342256197,"ComputerName": "singleloss","UserName": "thathorror","ContextTimeStamp": 1649061056,"DetectId": "whyweek","DetectName": "thisdarkness","DetectDescription": "wisp sedge child murder determination wealth cackle flock crowd troop collection heap doctor case path murder bale motherhood cloud team singlewoman","Tactic": "eachpoint","TacticId": "fewstream","Technique": "onewidth","TechniqueId": "awfulgovernment","Objective": "lots ofmotherhood","Severity": 59,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/itteam?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "wheretrain station","AndroidAppLabel": "herethrill","DexFileHashes": "tensefear","ImageFileName": "whoseadvantage","AppInstallerInformation": "Hitlerianirritation","IsBeingDebugged": false,"AndroidAppVersionName": "sparseforest","IsContainerized": false}]}} +{"metadata": {"customerIDString": "eachdivorce","offset": 1887561384,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "thankfulslavery","MobileDetectionId": -224577122,"ComputerName": "fullviolence","UserName": "Indianbread","ContextTimeStamp": 1649061056,"DetectId": "Canadianhost","DetectName": "orangestand","DetectDescription": "band rabbit life street computer caravan justice brace mistake troupe troop time anger exaltation time cast place plant company week sink Swazihedge","Tactic": "itwheelchair","TacticId": "ourcompany","Technique": "theseunemployment","TechniqueId": "Muscoviteanswer","Objective": "abundantbale","Severity": 44,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hereworld?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "Sudaneseboat","AndroidAppLabel": "sparklynation","DexFileHashes": "thisbrilliance","ImageFileName": "doublecluster","AppInstallerInformation": "whatpart","IsBeingDebugged": true,"AndroidAppVersionName": "whatcandy","IsContainerized": true}]}} +{"metadata": {"customerIDString": "theseenergy","offset": -1842784803,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "theseyear","DataDomains": "Web","Description": "game bitterness set health gang person freedom man crowd gossip whosecackle","DetectId": "anytea","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "24.6.89.201","HostNames": "Indianscold","Name": "whoseusage","PatternId": 1325466376,"Severity": 42,"SourceProducts": "bravebundle","SourceVendors": "puzzledregiment","StartTimeEpoch": 1643317697728000000,"TacticIds": "gracefulspoon","Tactics": "joyousriches","TechniqueIds": "Lincolnianfrailty","Techniques": "eachhouse","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "Swisshost","offset": 413263399,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thosegain","UserIp": "218.68.205.244","OperationName": "grantCustomerSubscriptions","ServiceName": "Crowdstrike Streaming API","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "hergroup","ValueString": "Bahamianbow"}],"Attributes": {"actor_cid": "hisshopping","actor_user": "whyostrich","actor_user_uuid": "hownutrition","app_id": "everyonetribe","saml_assertion": "itstruth","target_user": "fewcoat","trace_id": "itorchard"}}} +{"metadata": {"customerIDString": "whatvision","offset": -163226452,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "whichirritation","DataDomains": "Identity","Description": "anthology delay labour scold packet traffic welfare salt mother school crueleye","DetectId": "yourenvy","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "211.137.245.14","HostNames": "arroganttoothbrush","Name": "doubletribe","PatternId": -753145357,"Severity": 28,"SourceProducts": "delightfulstaff","SourceVendors": "Monacanswan","StartTimeEpoch": 1643317697728000000,"TacticIds": "Guyaneseyear","Tactics": "theirheart","TechniqueIds": "Egyptianchild","Techniques": "significantmotor","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "whatcast","offset": 811925238,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "whyfact","Region": "us-west-2","ResourceId": "wherehorde","ResourceIdType": "thesejustice","ResourceName": "everybodylogic","ResourceCreateTime": 0,"PolicyStatement": "fewzebra","PolicyId": 688566234,"Severity": 22,"SeverityName": "Medium","CloudPlatform": "whichharm","CloudService": "manyhand","Disposition": "Passed","ResourceUrl": "pricklingsun","Finding": "mymustering","Tags": [{"Key": "cuteream","ValueString": "thoseharvest"}],"ReportUrl": "anyonebones","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "charmingoven","offset": -1010968197,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "cleverproblem","Region": "us-west-1","ResourceId": "allcleverness","ResourceIdType": "whatgovernment","ResourceName": "gracefuldisregard","ResourceCreateTime": 0,"PolicyStatement": "whereset","PolicyId": 2075386905,"Severity": 79,"SeverityName": "High","CloudPlatform": "everythingwhale","CloudService": "sufficientmethod","Disposition": "Passed","ResourceUrl": "over therecomb","Finding": "whatdoctor","Tags": [{"Key": "oneday","ValueString": "onehouse"}],"ReportUrl": "everyonewoman","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "nonefleet","offset": -1840396919,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "thatparty","CustomerId": "whywheat","Ipv": "229.134.79.18","CommandLine": "therechild","ConnectionDirection": "2","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": true},"HostName": "wherehost","ICMPCode": "anypair","ICMPType": "whosetribe","ImageFileName": "howgrains","LocalAddress": "121.215.68.4","LocalPort": "80725","MatchCount": 1278266109,"MatchCountSinceLastReport": -1170101990,"NetworkProfile": "mythrill","PID": "-1771055778","PolicyName": "thosefleet","PolicyID": "whoseriver","Protocol": "yourbale","RemoteAddress": "42.0.82.34","RemotePort": "6289","RuleAction": "dangerousprofessor","RuleDescription": "thrill philosophy calm scold hedge packet child knowledge microscope mustering week year brace wherevillage","RuleFamilyID": "someonerice","RuleGroupName": "wherejoy","RuleName": "yourapp","RuleId": "herbody","Status": "thoseream","Timestamp": 1751371830,"TreeID": "pleasantbowl"}} +{"metadata": {"customerIDString": "nichejuice","offset": 1727918718,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "Danishnap","DataDomains": "Email","Description": "team coffee palm basket riches tea pumpkin clothing stand annoyance pack party salt success year severalstaff","DetectId": "itring","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "63.219.163.204","HostNames": "Mayanbook","Name": "hertroop","PatternId": 1262235642,"Severity": 16,"SourceProducts": "over therewhale","SourceVendors": "itspacket","StartTimeEpoch": 1643317697728000000,"TacticIds": "thosegovernment","Tactics": "Atlanticproblem","TechniqueIds": "mypoverty","Techniques": "Balineseloneliness","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "severalheap","offset": 1070529402,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "somebodyforest","HostnameField": "wheresedge","UserName": "hisbale","StartTimestamp": 1582830734,"AgentIdString": "a lotprogram"}} +{"metadata": {"customerIDString": "theretime","offset": 213099884,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "obedientcare","DetectName": "lots ofblock","DetectDescription": "station bottle stack dynasty lamb animal leap woman trip wisp day dream way brilliance beans hedge king enthusiasticman","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/ournumber?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 7,"SeverityName": "High","Tactic": "thereluck","Technique": "Chineseparty","Objective": "emptytroupe","SourceAccountDomain": "dizzyingposse","SourceAccountName": "Balineseelegance","SourceAccountObjectSid": "numerousdream","SourceEndpointAccountObjectGuid": "thoughtfuldeer","SourceEndpointAccountObjectSid": "whycheese","SourceEndpointHostName": "whosefoot","SourceEndpointIpAddress": "223.140.102.228","SourceEndpointSensorId": "enoughpatrol","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "Japaneselife","PatternId": -380100246}} +{"metadata": {"customerIDString": "wheresofa","offset": 1880427403,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "enoughtime","Region": "us-east-2","ResourceId": "whatfact","ResourceIdType": "couplerhythm","ResourceName": "significantmob","ResourceCreateTime": 0,"PolicyStatement": "over thereset","PolicyId": 1987705020,"Severity": 15,"SeverityName": "Medium","CloudPlatform": "allbattery","CloudService": "mytribe","Disposition": "Failed","ResourceUrl": "thatintelligence","Finding": "someonewealth","Tags": [{"Key": "howmob","ValueString": "quaintwidth"}],"ReportUrl": "theredoctor","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "elegantcap","offset": 1119455354,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "Machiavelliangossip","MobileDetectionId": 1572789320,"ComputerName": "hundredcompany","UserName": "a lotmarriage","ContextTimeStamp": 1649061056,"DetectId": "onecluster","DetectName": "neitherdarkness","DetectDescription": "plant tribe tunnel television way abundantbunch","Tactic": "mything","TacticId": "Parisianlamp","Technique": "brownscold","TechniqueId": "hermother","Objective": "over thereanthology","Severity": 38,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/thatpride?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "someoneharvest","AndroidAppLabel": "over thereflock","DexFileHashes": "smoggybunch","ImageFileName": "therepod","AppInstallerInformation": "therenest","IsBeingDebugged": true,"AndroidAppVersionName": "repulsivestand","IsContainerized": true}]}} +{"metadata": {"customerIDString": "heredentist","offset": -790417217,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "onehand","HostnameField": "stupidtrip","UserName": "someflock","StartTimestamp": 1582830734,"AgentIdString": "manygovernment"}} +{"metadata": {"customerIDString": "itsedge","offset": -1898740542,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "whystaff","DataDomains": "Cloud","Description": "trade clarity bunch cat crew electricity band thought fuel howfleet","DetectId": "couplecompany","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "192.109.66.89","HostNames": "somebodyleap","Name": "allman","PatternId": 808009428,"Severity": 85,"SourceProducts": "substantialenergy","SourceVendors": "itslife","StartTimeEpoch": 1643317697728000000,"TacticIds": "Colombianbaby","Tactics": "nobodyengine","TechniqueIds": "howcompany","Techniques": "Alaskantent","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "greatfailure","offset": 149873024,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "Viennesecovey","IncidentDescription": "child suitcase range gas station wealth lamb lamb publicity station party tomatoes troop eye union choir tent howexaltation","Severity": 24,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "uglyluck","UserName": "enchantednews","EndpointName": "everyonebale","EndpointIp": "101.177.37.39","Category": "Detections","NumbersOfAlerts": 786630224,"NumberOfCompromisedEntities": 1582548137,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/joyoushorror?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "yourream","offset": 1961545286,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "toocackle","UserID": "whatbrace","ExecutionID": "whytable","ReportID": "everyoneparty","ReportName": "Lebanesebatch","ReportType": "Diabolicaleye","ReportFileReference": "everythingboat","Status": "Spanishline","StatusMessage": "hisstar","ExecutionMetadata": {"ExecutionStart": 1120190420,"ExecutionDuration": -615806240,"ReportFileName": "thesemustering","ResultCount": -143096838,"ResultID": "coupleroad","SearchWindowStart": 549100716,"SearchWindowEnd": 1553138222}}} +{"metadata": {"customerIDString": "whatgroup","offset": 1034109684,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "Barcelonianmurder","UserIp": "105.162.182.4","OperationName": "createUser","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "hereshower","ValueString": "anythingcompany"}],"Attributes": {"actor_cid": "manysafety","actor_user": "sufficientpaper","actor_user_uuid": "fewelegance","app_id": "whichmotherhood","saml_assertion": "condemnedcheese","target_user": "onelips","trace_id": "amusedbale"}}} +{"metadata": {"customerIDString": "Burkinesecup","offset": 305373083,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "significantbrace","UserIp": "110.77.63.34","OperationName": "selfAcceptEula","ServiceName": "detections","Success": true,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "lonelyyear","ValueString": "whichevidence"}],"Attributes": {"actor_cid": "smilingbattery","actor_user": "itsmedicine","actor_user_uuid": "eithercaptain","app_id": "Spanishsedge","saml_assertion": "a little bitnest","target_user": "awfulluxury","trace_id": "whatgirl"}}} +{"metadata": {"customerIDString": "whyquantity","offset": 1896250844,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": 374328473,"ProcessEndTime": 1925826440,"ProcessId": 471551332,"ParentProcessId": 1611641070,"ComputerName": "repulsivejustice","UserName": "thereright","DetectName": "anyonestring","DetectDescription": "part line choir advantage happiness cackle posse mob troop bundle crew time nest whereimagination","Severity": 0,"SeverityName": "Low","FileName": "littletroupe","FilePath": "ourcrew\\littletroupe","CommandLine": "C:\\Windows\\itscomputer","SHA256String": "Alaskanline","MD5String": "someoneemployment","SHA1String": "lovelycongregation","MachineDomain": "mybevy","NetworkAccesses": [{"AccessType": -81898620,"AccessTimestamp": 1751371565,"Protocol": "Romanianreligion","LocalAddress": "204.59.171.39","LocalPort": 10526,"RemoteAddress": "205.40.121.146","RemotePort": 14937,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/enough offurniture?_cid=xxxxxxx","SensorId": "hertroupe","IOCType": "hash_sha256","IOCValue": "worrisomewisp","DetectId": "thesebatch","LocalIP": "132.4.202.152","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "yourproblem","Technique": "charmingyouth","Objective": "fullcompany","PatternDispositionDescription": "posse trend herewater","PatternDispositionValue": -134342907,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": true,"SensorOnly": false,"Rooting": false,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": true,"QuarantineFile": false,"PolicyDisabled": true,"KillParent": true,"OperationBlocked": true,"ProcessBlocked": true,"RegistryOperationBlocked": false,"CriticalProcessDisabled": true,"BootupSafeguardEnabled": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": false},"ParentImageFileName": "severalcabinet","ParentCommandLine": "manyunderstanding","GrandparentImageFileName": "whyharvest","GrandparentCommandLine": "thosecomb","HostGroups": "Welshstaff","AssociatedFile": "whichrubbish","PatternId": -78970361}} +{"metadata": {"customerIDString": "whichchest","offset": -370463590,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "uglyband","UserIp": "42.215.240.82","OperationName": "deactivateUser","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "thattown","ValueString": "emptygroup"}],"Attributes": {"actor_cid": "a lotsalt","actor_user": "lots ofannoyance","actor_user_uuid": "wheretroop","app_id": "itsroom (space)","saml_assertion": "everythingwashing machine","target_user": "braveglasses","trace_id": "somebodybatch"}}} +{"metadata": {"customerIDString": "anythingway","offset": 467314223,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "hungrycase","UserIp": "54.163.170.166","OperationName": "updateUserRoles","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "Jungiancaravan","ValueString": "thosegown"}],"Attributes": {"actor_cid": "hiskid","actor_user": "herclass","actor_user_uuid": "perfectmob","app_id": "Italianforest","saml_assertion": "uglyginger","target_user": "someonepod","trace_id": "therebevy"}}} +{"metadata": {"customerIDString": "so fewquiver","offset": 1070716380,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "anythingtour","DetectName": "whichleap","DetectDescription": "laptop somebodything","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whereboard?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 36,"SeverityName": "Informational","Tactic": "myposse","Technique": "significantstack","Objective": "wanderingmob","SourceAccountDomain": "poisedapartment","SourceAccountName": "somepoint","SourceAccountObjectSid": "whoseday","SourceEndpointAccountObjectGuid": "anyonearmy","SourceEndpointAccountObjectSid": "thosecrew","SourceEndpointHostName": "oneturtle","SourceEndpointIpAddress": "247.26.195.106","SourceEndpointSensorId": "itsinformation","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whatbevy","PatternId": -1220474550}} +{"metadata": {"customerIDString": "eachunderstanding","offset": -587153472,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "wrongcollection","MobileDetectionId": -574613663,"ComputerName": "wherebody","UserName": "drabposse","ContextTimeStamp": 1649061056,"DetectId": "myheat","DetectName": "thosefact","DetectDescription": "table heap deceit star bowl tour cloud bunch riches time nutrition collection air part seed everybodypacket","Tactic": "Christianrefrigerator","TacticId": "Sudanesedata","Technique": "enough ofgossip","TechniqueId": "hundredsthing","Objective": "victoriousproject","Severity": 21,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/arrogantroom?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "itsboxers","AndroidAppLabel": "foolishschool","DexFileHashes": "outstandingbattery","ImageFileName": "wherechild","AppInstallerInformation": "Bismarckianteam","IsBeingDebugged": false,"AndroidAppVersionName": "myrestaurant","IsContainerized": false}]}} +{"metadata": {"customerIDString": "whoseapp","offset": -425822831,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "theirverb","HostnameField": "herestupidity","UserName": "somebodycarpet","StartTimestamp": 1582830734,"AgentIdString": "thistablet"}} +{"metadata": {"customerIDString": "zealouspopcorn","offset": -1751655908,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "whatfact","DataDomains": "Email","Description": "brace kindness sugar heap case staff fish company judge book snow paper laughter crow significantadvice","DetectId": "thoseexaltation","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "254.183.207.200","HostNames": "Chinesepicture","Name": "hiscatalog","PatternId": -2111882047,"Severity": 88,"SourceProducts": "itsflock","SourceVendors": "theirrice","StartTimeEpoch": 1643317697728000000,"TacticIds": "thesesand","Tactics": "hercluster","TechniqueIds": "couplebunch","Techniques": "everybodyline","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "itsgrandfather","offset": 1099121215,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "greatwork","Region": "us-west-1","ResourceId": "thereeducation","ResourceIdType": "someonemustering","ResourceName": "realistichospital","ResourceCreateTime": 0,"PolicyStatement": "couplesolitude","PolicyId": -787790530,"Severity": 10,"SeverityName": "High","CloudPlatform": "coupleadvantage","CloudService": "lots ofsock","Disposition": "Passed","ResourceUrl": "Hitleriantrip","Finding": "itcatalog","Tags": [{"Key": "over thereunderstanding","ValueString": "horriblewisp"}],"ReportUrl": "everybodymob","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "yourwork","offset": 1076918008,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "substantialusage","UserIp": "179.135.243.128","OperationName": "grantCustomerSubscriptions","ServiceName": "Crowdstrike Streaming API","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "tastyanswer","ValueString": "anyscold"}],"Attributes": {"actor_cid": "tensewindow","actor_user": "littlearmy","actor_user_uuid": "Einsteinianbelief","app_id": "fewspaghetti","saml_assertion": "Britishneck","target_user": "everybodyhand","trace_id": "whatcase"}}} +{"metadata": {"customerIDString": "everybodyset","offset": 836335149,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "severalalligator","MobileDetectionId": 1943762630,"ComputerName": "eagerhorde","UserName": "yourset","ContextTimeStamp": 1649061056,"DetectId": "noneface","DetectName": "somebodyfreedom","DetectDescription": "life tooriches","Tactic": "wheresuccess","TacticId": "scarycrowd","Technique": "fewcatalog","TechniqueId": "Finnishbitterness","Objective": "thathand","Severity": 70,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Sammarinesenotebook?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "gentlebrother","AndroidAppLabel": "puzzledbasket","DexFileHashes": "awfulgalaxy","ImageFileName": "ourcup","AppInstallerInformation": "Polynesiantroupe","IsBeingDebugged": false,"AndroidAppVersionName": "Gaussianplace","IsContainerized": true}]}} +{"metadata": {"customerIDString": "severaljoy","offset": 516490988,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "jealousfriend","PolicyId": 469826311,"PolicyStatement": "thatbouquet","CloudProvider": "Newtonianparrot","CloudService": "dizzyingcovey","Severity": 46,"SeverityName": "Medium","EventAction": "Lebanesemob","EventSource": "oneparty","EventCreatedTimestamp": 1663011160,"UserId": "doublecluster","UserName": "nervousscold","UserSourceIp": "53.155.232.168","Tactic": "doublegrandfather","Technique": "toobeach"}} +{"metadata": {"customerIDString": "Peruvianpod","offset": 550404721,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "ourgloves","CustomerId": "neitherpart","Ipv": "8.47.107.55","CommandLine": "ourthing","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": true,"Log": false,"Monitor": false},"HostName": "fancyprogress","ICMPCode": "whosegroup","ICMPType": "thosearmy","ImageFileName": "yourcrowd","LocalAddress": "143.162.134.202","LocalPort": "68492","MatchCount": -1188814932,"MatchCountSinceLastReport": -1389098824,"NetworkProfile": "anyonenoun","PID": "1819726482","PolicyName": "wanderingcast","PolicyID": "ourbody","Protocol": "Middle Easternawareness","RemoteAddress": "166.172.215.153","RemotePort": "71013","RuleAction": "Barcelonianarrow","RuleDescription": "truth company sister set fact pod harvest brace smoke year theregame","RuleFamilyID": "severaltiming","RuleGroupName": "Monacanwoman","RuleName": "wickedbale","RuleId": "whymuster","Status": "yourbutter","Timestamp": 1751371830,"TreeID": "onecase"}} +{"metadata": {"customerIDString": "significantream","offset": -900942813,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "howworld","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\Mozartianteam","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Cloud","Description": "work dangerousflock","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/hisproblem?_cid=xxxxxxx","FileName": "anyhall","FilePath": "eachline\\anyhall","FilesAccessed": [{"FileName": "anyhall","FilePath": "eachline\\anyhall","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "anyhall","FilePath": "eachline\\anyhall","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\herearmy","GrandParentImageFileName": "wherecat","GrandParentImageFilePath": "herehospital\\wherecat","HostGroups": "whitesecond","Hostname": "itsday","LocalIP": "41.220.181.243","LocalIPv6": "98.238.152.78","LogonDomain": "someonecluster","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "thisluxury","Name": "manythrill","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 1302319275,"ConnectionDirection": 1,"IsIPV6": false,"LocalAddress": "159.103.65.155","LocalPort": 18924,"Protocol": "Freudianbattery","RemoteAddress": "170.74.114.32","RemotePort": 17713}],"Objective": "itchybread","ParentCommandLine": "C:\\Windows\\whathen\\herrubbish","ParentImageFileName": "herrubbish","ParentImageFilePath": "somebodylie\\herrubbish","ParentProcessId": 996063762,"PatternDispositionDescription": "thing scold sorrow education quiver archipelago staff reel homework scold forest fewgroup","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": false,"KillActionFailed": false,"KillParent": true,"KillProcess": true,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": true},"PatternDispositionValue": -1578117058,"PatternId": -1580414227,"PlatformId": "itsmustering","PlatformName": "Mac","ProcessEndTime": -505637706,"ProcessId": -1545954875,"ProcessStartTime": 1877761422,"ReferrerUrl": "whatfinger","SHA1String": "someonebowl","SHA256String": "itgovernment","Severity": 74,"SeverityName": "High","SourceProducts": "a little bitboard","SourceVendors": "wrongplace","Tactic": "thisbevy","Technique": "whosefood","Type": "ofp","UserName": "doubletown"}} +{"metadata": {"customerIDString": "theirschool","offset": -104094373,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -234636472,"ProcessEndTime": 1339241224,"ProcessId": 1065673297,"ParentProcessId": -1472960077,"ComputerName": "noneline","UserName": "Bahamiansnowman","DetectName": "itcomputer","DetectDescription": "album mob archipelago friendship success horde company batch right harvest dream guilt heat group shop energy woman nap hisperson","Severity": 0,"SeverityName": "Low","FileName": "itsleap","FilePath": "smoggybale\\itsleap","CommandLine": "C:\\Windows\\knightlybattery","SHA256String": "eachadvertising","MD5String": "herehorror","SHA1String": "fullrice","MachineDomain": "faithfulcrime","NetworkAccesses": [{"AccessType": -1852376208,"AccessTimestamp": 1751371565,"Protocol": "coupleworld","LocalAddress": "87.185.241.72","LocalPort": 25948,"RemoteAddress": "215.250.80.64","RemotePort": 64750,"ConnectionDirection": 1,"IsIPV6": true}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/South Americanmilk?_cid=xxxxxxx","SensorId": "wheresinger","IOCType": "command_line","IOCValue": "somebodycase","DetectId": "theseenthusiasm","LocalIP": "33.102.92.179","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "jitterygroup","Technique": "upsetcoffee","Objective": "myblock","PatternDispositionDescription": "stupidity fact orchard range exaltation idea case product horde life troupe idea murder board holiday welfare girl thismuster","PatternDispositionValue": 154868586,"PatternDispositionFlags": {"Indicator": true,"Detect": false,"InddetMask": false,"SensorOnly": false,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": false,"SuspendParent": true},"ParentImageFileName": "Atlanticsoup","ParentCommandLine": "a little bitvalley","GrandparentImageFileName": "Romanianyoga","GrandparentCommandLine": "thismustering","HostGroups": "allcollection","AssociatedFile": "Belgianlibrary","PatternId": 1038143163}} +{"metadata": {"customerIDString": "therebasket","offset": -1482063069,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "anythinglibrary","State": "closed","FineScore": 9.621915223550307,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "sillybody","HostID": "thisquantity","LMHostIDs": ["theirrice"],"UserId": "someeye"}} +{"metadata": {"customerIDString": "theireye","offset": 1505022070,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "theseheap","IncidentDescription": "truth exaltation body courage river crowd crew chocolate problem pen metal stand riches toothbrush jealousy dream wealth board right way market bundle advice fantasticanthology","Severity": 73,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "Slovakparty","UserName": "anythingring","EndpointName": "annoyingmarriage","EndpointIp": "7.236.10.163","Category": "Incidents","NumbersOfAlerts": 1201378806,"NumberOfCompromisedEntities": 1292674977,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Koreanroad?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "couplehorror","offset": 154599492,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thatstring","UserIp": "94.231.69.154","OperationName": "requestResetPassword","ServiceName": "detections","AuditKeyValues": [{"Key": "whatambulance","ValueString": "everybodyaunt"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "nichetroop"}}} +{"metadata": {"customerIDString": "whatmustering","offset": -783097223,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "Laotianoutfit","DetectName": "Thatcheriteemployment","DetectDescription": "host point life dog dynasty horror cast bill archipelago sorrow flock product determination set stack turkey hospital mob shower pronunciation murder anythingloneliness","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/wholepride?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 46,"SeverityName": "High","Tactic": "Gaussiansmoke","Technique": "obedientbunch","Objective": "outstandingwarmth","SourceAccountDomain": "Russianconfusion","SourceAccountName": "notroop","SourceAccountObjectSid": "therebatch","SourceEndpointAccountObjectGuid": "Danishtalent","SourceEndpointAccountObjectSid": "badbox","SourceEndpointHostName": "lots ofline","SourceEndpointIpAddress": "111.87.106.222","SourceEndpointSensorId": "thistroop","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whichtroop","PatternId": 1871629415}} +{"metadata": {"customerIDString": "theirchoir","offset": 1707609541,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "mybatch","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\ourproduct","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "wisp care care covey heap train flock room youth accommodation wildlife bridge troop bird pronunciation bale fact rhythm whatheap","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Jungiangloves?_cid=xxxxxxx","FileName": "ourmob","FilePath": "blushinggrandmother\\ourmob","FilesAccessed": [{"FileName": "ourmob","FilePath": "blushinggrandmother\\ourmob","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "ourmob","FilePath": "blushinggrandmother\\ourmob","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\itsmurder","GrandParentImageFileName": "oursolitude","GrandParentImageFilePath": "theirpotato\\oursolitude","HostGroups": "hislife","Hostname": "whosekindness","LocalIP": "77.122.212.136","LocalIPv6": "101.94.203.39","LogonDomain": "thatchoir","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "significantthing","Name": "so fewbunch","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -290255403,"ConnectionDirection": 0,"IsIPV6": false,"LocalAddress": "128.130.162.113","LocalPort": 87664,"Protocol": "severallibrary","RemoteAddress": "10.119.10.40","RemotePort": 28306}],"Objective": "everybodyhail","ParentCommandLine": "C:\\Windows\\manyplace\\howtroupe","ParentImageFileName": "howtroupe","ParentImageFilePath": "fewposse\\howtroupe","ParentProcessId": -1183764153,"PatternDispositionDescription": "mob thing mob fun gas station team socks troupe ream posse tribe clump scold line brace fact elegance cackle cluster album thererange","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": false,"ContainmentFileSystem": true,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": true,"HandleOperationDowngraded": true,"InddetMask": true,"Indicator": true,"KillActionFailed": false,"KillParent": false,"KillProcess": true,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": false,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": true},"PatternDispositionValue": 1417374195,"PatternId": 990773909,"PlatformId": "thisability","PlatformName": "Windows","ProcessEndTime": 1078347455,"ProcessId": 1807685076,"ProcessStartTime": 324949076,"ReferrerUrl": "severalsalt","SHA1String": "whatpack","SHA256String": "Turkishishmusic","Severity": 5,"SeverityName": "Informational","SourceProducts": "hisgang","SourceVendors": "whicheye","Tactic": "itschool","Technique": "thatoutfit","Type": "ldt","UserName": "thatbaby"}} +{"metadata": {"customerIDString": "eachhail","offset": 910054756,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "whychest","MobileDetectionId": -1066361567,"ComputerName": "therepollution","UserName": "lots ofchild","ContextTimeStamp": 1649061056,"DetectId": "plenty ofstack","DetectName": "everythingpain","DetectDescription": "hair troop advantage pod cloud regiment whichcase","Tactic": "doublesoup","TacticId": "thankfulgovernment","Technique": "noneexaltation","TechniqueId": "everythinggovernor","Objective": "Intelligenttime","Severity": 36,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/lemonycountry?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "victorioussolitude","AndroidAppLabel": "manydesk","DexFileHashes": "whoselife","ImageFileName": "Plutoniangoodness","AppInstallerInformation": "howday","IsBeingDebugged": true,"AndroidAppVersionName": "eithercase","IsContainerized": true}]}} +{"metadata": {"customerIDString": "nobodyheart","offset": -1480801993,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -664707217,"ProcessEndTime": 1356490391,"ProcessId": -439951165,"ParentProcessId": 463703834,"ComputerName": "whatcomb","UserName": "fewchoir","DetectName": "allsedge","DetectDescription": "muster brace flock line chest Sudanesesedge","Severity": 2,"SeverityName": "Low","FileName": "whypod","FilePath": "theseplace\\whypod","CommandLine": "C:\\Windows\\neithersparrow","SHA256String": "howspeed","MD5String": "herstraw","SHA1String": "emptypack","MachineDomain": "greatpainter","NetworkAccesses": [{"AccessType": 1649138494,"AccessTimestamp": 1751371565,"Protocol": "someonepatrol","LocalAddress": "153.130.99.166","LocalPort": 85526,"RemoteAddress": "195.189.167.229","RemotePort": 55938,"ConnectionDirection": 0,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/magnificentstand?_cid=xxxxxxx","SensorId": "Turkishdetermination","IOCType": "behavior","IOCValue": "toughway","DetectId": "howcaptain","LocalIP": "253.92.155.205","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "hundredtravel","Technique": "someonechapter","Objective": "nonebevy","PatternDispositionDescription": "irritation art time life choir crowd eye hand handsomewarmth","PatternDispositionValue": -354807263,"PatternDispositionFlags": {"Indicator": false,"Detect": false,"InddetMask": true,"SensorOnly": true,"Rooting": true,"KillProcess": true,"KillSubProcess": false,"QuarantineMachine": false,"QuarantineFile": false,"PolicyDisabled": false,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"KillActionFailed": true,"BlockingUnsupportedOrDisabled": true,"SuspendProcess": true,"SuspendParent": true},"ParentImageFileName": "myliterature","ParentCommandLine": "hisbeauty","GrandparentImageFileName": "condemnedrain","GrandparentCommandLine": "fewcovey","HostGroups": "hergroup","AssociatedFile": "sufficientcompany","PatternId": -2136295940}} +{"metadata": {"customerIDString": "thesenecklace","offset": 499490277,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "eachson","DetectName": "over thereanswer","DetectDescription": "toy child determination deceit imagination leap part problem unemployment itanger","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/anythingteam?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 29,"SeverityName": "Low","Tactic": "everyoneidea","Technique": "itpark","Objective": "thisstaff","SourceAccountDomain": "impossiblebunch","SourceAccountName": "thatgroup","SourceAccountObjectSid": "hisbevy","SourceEndpointAccountObjectGuid": "eagerdream","SourceEndpointAccountObjectSid": "Britishdream","SourceEndpointHostName": "Romanheap","SourceEndpointIpAddress": "43.168.13.71","SourceEndpointSensorId": "heregalaxy","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "a littleanimal","PatternId": -989308898}} +{"metadata": {"customerIDString": "herbowl","offset": 2014670838,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "whylove","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\wherearmy","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "person week dynasty crew stand forest scold wisp patience clothing anthology book child rainbow body thereposse","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Cambodianriches?_cid=xxxxxxx","FileName": "somecaptain","FilePath": "fewmob\\somecaptain","FilesAccessed": [{"FileName": "somecaptain","FilePath": "fewmob\\somecaptain","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "somecaptain","FilePath": "fewmob\\somecaptain","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\therenest","GrandParentImageFileName": "whichjustice","GrandParentImageFilePath": "Swisssister\\whichjustice","HostGroups": "Intelligentkoala","Hostname": "allhatred","LocalIP": "154.204.32.239","LocalIPv6": "53.135.178.55","LogonDomain": "hereseafood","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "halfgoodness","Name": "thesehelp","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": 2076137131,"ConnectionDirection": 1,"IsIPV6": false,"LocalAddress": "28.212.21.213","LocalPort": 25122,"Protocol": "thesemurder","RemoteAddress": "199.51.196.161","RemotePort": 4758}],"Objective": "Somalicovey","ParentCommandLine": "C:\\Windows\\obnoxiousline\\insufficientdisregard","ParentImageFileName": "insufficientdisregard","ParentImageFilePath": "famousman\\insufficientdisregard","ParentProcessId": -1602500269,"PatternDispositionDescription": "year exaltation army pain theater wad nature pair leisure gang tribe leisure church pen crew host packet comb stress crowd regiment air Thatcheritetomatoes","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": false,"Indicator": false,"KillActionFailed": false,"KillParent": false,"KillProcess": true,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": false,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": true,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": -1207066680,"PatternId": -21302995,"PlatformId": "anythingchair","PlatformName": "Mac","ProcessEndTime": 677326050,"ProcessId": 1009504147,"ProcessStartTime": -861205713,"ReferrerUrl": "herecomfort","SHA1String": "hilariousparty","SHA256String": "outstandingbody","Severity": 22,"SeverityName": "Critical","SourceProducts": "nobodyaccommodation","SourceVendors": "herhospital","Tactic": "myinformation","Technique": "mykindness","Type": "ldt","UserName": "Californiantroop"}} +{"metadata": {"customerIDString": "nonegroup","offset": -1235253501,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "a little bitway","UserIp": "43.136.128.121","OperationName": "confirmResetPassword","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "ittribe","ValueString": "somehorde"}],"Attributes": {"actor_cid": "itpoint","actor_user": "hiscollection","actor_user_uuid": "howdishonesty","app_id": "itreel","saml_assertion": "nichetrip","target_user": "tastyheap","trace_id": "wholeweight"}}} +{"metadata": {"customerIDString": "greatfiction","offset": -169473232,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "everybodyjoy","HostnameField": "hugehotel","UserName": "mostadult","StartTimestamp": 1582830734,"AgentIdString": "therepatrol"}} +{"metadata": {"customerIDString": "itfleet","offset": 1446616657,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "mygalaxy","Region": "us-west-1","ResourceId": "attractiveluck","ResourceIdType": "howzebra","ResourceName": "myline","ResourceCreateTime": 0,"PolicyStatement": "whybale","PolicyId": -240473013,"Severity": 85,"SeverityName": "High","CloudPlatform": "whatcovey","CloudService": "filthyroom (space)","Disposition": "Passed","ResourceUrl": "whypod","Finding": "hisstack","Tags": [{"Key": "wheretroop","ValueString": "handsomethrill"}],"ReportUrl": "itchycompany","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "thoseunion","offset": -442409568,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "defianttrend","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\Beethovenianair","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "task team education week kindness host oil candle cravat school pair cluster unemployment bunch cackle anger corner exaltation tea itjoy","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/wideharvest?_cid=xxxxxxx","FileName": "itsold age","FilePath": "thereshock\\itsold age","FilesAccessed": [{"FileName": "itsold age","FilePath": "thereshock\\itsold age","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "itsold age","FilePath": "thereshock\\itsold age","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\whichfact","GrandParentImageFileName": "outrageousboard","GrandParentImageFilePath": "somebodybelief\\outrageousboard","HostGroups": "anyonecomfort","Hostname": "whatleap","LocalIP": "106.87.193.55","LocalIPv6": "135.202.91.150","LogonDomain": "anyonestack","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "Bahamianart","Name": "charmingpoverty","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -579867327,"ConnectionDirection": 0,"IsIPV6": true,"LocalAddress": "118.47.108.223","LocalPort": 42729,"Protocol": "herecloud","RemoteAddress": "192.115.25.70","RemotePort": 80597}],"Objective": "a little bitwork","ParentCommandLine": "C:\\Windows\\anyonepatrol\\thankfulgovernor","ParentImageFileName": "thankfulgovernor","ParentImageFilePath": "onenumber\\thankfulgovernor","ParentProcessId": 274159899,"PatternDispositionDescription": "boat pack monkey chair scale board person pod baby nature battery eye costume xylophone kilometer comb field group fruit bale government lightgroup","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": true,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": true,"Indicator": true,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": true,"PolicyDisabled": true,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": true,"RegistryOperationBlocked": false,"Rooting": false,"SensorOnly": false,"SuspendParent": true,"SuspendProcess": true},"PatternDispositionValue": -266493756,"PatternId": -1496995766,"PlatformId": "whosewalk","PlatformName": "Windows","ProcessEndTime": 949063399,"ProcessId": 462479544,"ProcessStartTime": 1027612118,"ReferrerUrl": "Sudanesefrailty","SHA1String": "Americanwisdom","SHA256String": "theresalt","Severity": 92,"SeverityName": "Low","SourceProducts": "severalmustering","SourceVendors": "thisschool","Tactic": "everybodycrew","Technique": "whattroop","Type": "ofp","UserName": "Cambodianblock"}} +{"metadata": {"customerIDString": "yourbunch","offset": -1445144308,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "theremob","CustomerId": "jealouscity","Ipv": "189.25.15.207","CommandLine": "Salvadoreangovernment","ConnectionDirection": "2","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": false,"Log": true,"Monitor": false},"HostName": "whatgroup","ICMPCode": "Mayanunderstanding","ICMPType": "glamorousbody","ImageFileName": "inquiringbale","LocalAddress": "126.227.89.91","LocalPort": "13770","MatchCount": -674428234,"MatchCountSinceLastReport": 926315771,"NetworkProfile": "Confucianawareness","PID": "526892878","PolicyName": "itschoir","PolicyID": "lots ofisland","Protocol": "thereegg","RemoteAddress": "162.85.15.1","RemotePort": "18866","RuleAction": "Africanability","RuleDescription": "bank cup crew bunch news deceit stream myfinger","RuleFamilyID": "Diabolicalfailure","RuleGroupName": "outstandingcollection","RuleName": "everyonegang","RuleId": "littlegroup","Status": "adventurouspen","Timestamp": 1751371830,"TreeID": "shychoir"}} +{"metadata": {"customerIDString": "Ecuadoriansand","offset": -63618596,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "doubleocean","State": "open","FineScore": 3.6197896386230197,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "severalbush","HostID": "everythingsoup","LMHostIDs": ["myplate"],"UserId": "itfoot"}} +{"metadata": {"customerIDString": "manycompany","offset": 587068461,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "howfrog","DetectName": "whoseday","DetectDescription": "brother shopping soup class gown forest infancy butter place set way cat hospitality research group cave plan anthology wildlife growth hand company reel greatcase","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/myweek?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 96,"SeverityName": "Medium","Tactic": "a little bitmuster","Technique": "goodbale","Objective": "herwarmth","SourceAccountDomain": "thishedge","SourceAccountName": "somelife","SourceAccountObjectSid": "Welshsuccess","SourceEndpointAccountObjectGuid": "hundredslife","SourceEndpointAccountObjectSid": "itregiment","SourceEndpointHostName": "whatparty","SourceEndpointIpAddress": "52.174.142.116","SourceEndpointSensorId": "greatfreedom","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "whyband","PatternId": -384760931}} +{"metadata": {"customerIDString": "wanderingwisp","offset": 1714490954,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "whichtribe","DataDomains": "IoT","Description": "air dishonesty giraffe battery tribe company sandwich hisdisregard","DetectId": "yourfoot","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "44.4.68.26","HostNames": "theirbelt","Name": "Cormoranbaby","PatternId": 547399691,"Severity": 93,"SourceProducts": "howteam","SourceVendors": "Antarcticenvy","StartTimeEpoch": 1643317697728000000,"TacticIds": "mushycase","Tactics": "sparsehost","TechniqueIds": "Salvadoreanpart","Techniques": "whosehealth","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "Thatcheritecrew","offset": 1085973968,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "wanderingviolence","CustomerId": "thoseenvy","Ipv": "69.44.183.72","CommandLine": "happywisp","ConnectionDirection": "0","EventType": "FirewallRuleIP4Matched","Flags": {"Audit": false,"Log": false,"Monitor": false},"HostName": "terribletrip","ICMPCode": "vastkilometer","ICMPType": "sleepyquiver","ImageFileName": "somebodygeneration","LocalAddress": "236.54.178.96","LocalPort": "70344","MatchCount": -587424769,"MatchCountSinceLastReport": -657920173,"NetworkProfile": "onegrowth","PID": "1898217853","PolicyName": "relievedidea","PolicyID": "eitherfrailty","Protocol": "whytroop","RemoteAddress": "164.218.254.92","RemotePort": "27780","RuleAction": "a littlehorde","RuleDescription": "group life horror problem toothpaste motherhood theirreel","RuleFamilyID": "yourbale","RuleGroupName": "ashamedcatalog","RuleName": "manyleap","RuleId": "howisland","Status": "thereline","Timestamp": 1751371830,"TreeID": "significantgun"}} +{"metadata": {"customerIDString": "over theredeceit","offset": -1122233875,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "whichmurder","UserIp": "5.239.236.14","OperationName": "requestResetPassword","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "Taiwaneseloneliness","ValueString": "wherereligion"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "thisfinger"}}} +{"metadata": {"customerIDString": "a lotcleverness","offset": -2048442,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Intelligentpatrol","Region": "us-east-1","ResourceId": "Burmeseexaltation","ResourceIdType": "nobodycity","ResourceName": "allelegance","ResourceCreateTime": 0,"PolicyStatement": "fewboard","PolicyId": -512706245,"Severity": 43,"SeverityName": "High","CloudPlatform": "obedientchest","CloudService": "mything","Disposition": "Passed","ResourceUrl": "itswork","Finding": "Uzbekart","Tags": [{"Key": "obnoxiousparty","ValueString": "greendress"}],"ReportUrl": "whosetrip","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "mybread","offset": -1325604589,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "onewit","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\whathill","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "Email","Description": "skyscraper dog magic riches team ring man outfit cloud comfort driver razor confusion party howstand","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/so fewgroup?_cid=xxxxxxx","FileName": "anyonecompany","FilePath": "sparsesister\\anyonecompany","FilesAccessed": [{"FileName": "anyonecompany","FilePath": "sparsesister\\anyonecompany","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "anyonecompany","FilePath": "sparsesister\\anyonecompany","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\whatgalaxy","GrandParentImageFileName": "whatharvest","GrandParentImageFilePath": "over therecaravan\\whatharvest","HostGroups": "mychaise longue","Hostname": "therelife","LocalIP": "45.92.61.58","LocalIPv6": "172.181.169.171","LogonDomain": "purplearmy","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "howart","Name": "whichtime","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1143479247,"ConnectionDirection": 2,"IsIPV6": false,"LocalAddress": "173.85.118.189","LocalPort": 67424,"Protocol": "whyspeed","RemoteAddress": "164.12.64.92","RemotePort": 51877}],"Objective": "somebodydoor","ParentCommandLine": "C:\\Windows\\Taiwanesecovey\\someonejob","ParentImageFileName": "someonejob","ParentImageFilePath": "nobodygenerosity\\someonejob","ParentProcessId": -2129072122,"PatternDispositionDescription": "cap clump band hatred regiment government numerouskilometer","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": true,"BootupSafeguardEnabled": true,"ContainmentFileSystem": false,"CriticalProcessDisabled": false,"Detect": true,"FsOperationBlocked": false,"HandleOperationDowngraded": true,"InddetMask": false,"Indicator": true,"KillActionFailed": true,"KillParent": false,"KillProcess": false,"KillSubProcess": true,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": -88302655,"PatternId": 1951890639,"PlatformId": "somebodyhand","PlatformName": "Linux","ProcessEndTime": 1642637292,"ProcessId": -1893228872,"ProcessStartTime": -383749688,"ReferrerUrl": "everythingpoverty","SHA1String": "adventurousgoal","SHA256String": "awfulream","Severity": 73,"SeverityName": "Critical","SourceProducts": "ourtribe","SourceVendors": "theseteam","Tactic": "whatlie","Technique": "anythinghail","Type": "ofp","UserName": "whyharm"}} +{"metadata": {"customerIDString": "somebuilding","offset": -640891942,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "Sudanesestand","MobileDetectionId": -1943071553,"ComputerName": "singlecast","UserName": "yourschool","ContextTimeStamp": 1649061056,"DetectId": "ourwildlife","DetectName": "wherethought","DetectDescription": "frailparty","Tactic": "mygoal","TacticId": "wherefact","Technique": "herpumpkin","TechniqueId": "itsman","Objective": "ourdesktop","Severity": 30,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/eachsafety?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "longteacher","AndroidAppLabel": "thoseclass","DexFileHashes": "Atlantichappiness","ImageFileName": "somebodything","AppInstallerInformation": "theirgang","IsBeingDebugged": false,"AndroidAppVersionName": "itsteam","IsContainerized": false}]}} +{"metadata": {"customerIDString": "Cypriotbread","offset": -1789071430,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "ourjudge","PolicyId": -1418080276,"PolicyStatement": "itspunctuation","CloudProvider": "plenty ofscold","CloudService": "eachworld","Severity": 96,"SeverityName": "Informational","EventAction": "whoseriches","EventSource": "neitherstack","EventCreatedTimestamp": 1663011160,"UserId": "myriches","UserName": "herhorror","UserSourceIp": "51.74.60.182","Tactic": "over therefailure","Technique": "Chineseusage"}} +{"metadata": {"customerIDString": "thistask","offset": 2049273134,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "nuttygame","DataDomains": "Endpoint","Description": "happiness fruit cloud love murder party gun lack cookware assistance group adult board range chest nap kitchen eageroutfit","DetectId": "Plutoniantalent","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "150.143.106.85","HostNames": "greatstupidity","Name": "Japanesepoverty","PatternId": -1543856490,"Severity": 20,"SourceProducts": "noneproblem","SourceVendors": "itrhythm","StartTimeEpoch": 1643317697728000000,"TacticIds": "uninterestedprogress","Tactics": "whichteam","TechniqueIds": "enough ofhand","Techniques": "hundredsprogram","XdrType": "xdr-scheduled-search" } }} +{"metadata": {"customerIDString": "Sri-Lankansister","offset": 94661833,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "uninterestedclump","State": "open","FineScore": 1.1544780716192304,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "elatedplane","HostID": "theirrelaxation","LMHostIDs": ["hundrednest"],"UserId": "whypencil"}} +{"metadata": {"customerIDString": "whosesheaf","offset": 213989202,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "Viennesewolf","State": "open","FineScore": 6.011567877739499,"LateralMovement": 1,"IncidentType": 2,"IncidentID": "Machiavellianharvest","HostID": "allveterinarian","LMHostIDs": ["Cambodianhand"],"UserId": "healthypack"}} +{"metadata": {"customerIDString": "thereclump","offset": -1822867553,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "tendercleverness","HostnameField": "thathandle","UserName": "thesestand","StartTimestamp": 1582830734,"AgentIdString": "hisbale"}} +{"metadata": {"customerIDString": "ourboard","offset": 2116235252,"eventType": "AuthActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "thatbody","UserIp": "214.111.169.238","OperationName": "revokeCustomerSubscriptions","ServiceName": "detections","Success": false,"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "giftedengine","ValueString": "ourhedge"}],"Attributes": {"actor_cid": "wherekindness","actor_user": "whosecrowd","actor_user_uuid": "thoselife","app_id": "someonemotivation","saml_assertion": "thattroupe","target_user": "fewbucket","trace_id": "herenap"}}} +{"metadata": {"customerIDString": "whyline","offset": -2034480940,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "Dutchpart","CustomerId": "howsafety","Ipv": "50.148.47.27","CommandLine": "yourturtle","ConnectionDirection": "1","EventType": "FirewallRuleApplicationFailed","Flags": {"Audit": true,"Log": false,"Monitor": true},"HostName": "insufficientclump","ICMPCode": "itcorruption","ICMPType": "halfcackle","ImageFileName": "everythingharvest","LocalAddress": "141.153.83.70","LocalPort": "2082","MatchCount": -5800360,"MatchCountSinceLastReport": -43465211,"NetworkProfile": "mytroop","PID": "-1531454840","PolicyName": "disgustingregiment","PolicyID": "repulsiveproblem","Protocol": "emptyson","RemoteAddress": "15.239.102.156","RemotePort": "43616","RuleAction": "itgoal","RuleDescription": "mob company film wherepoint","RuleFamilyID": "Japanesedetective","RuleGroupName": "herejustice","RuleName": "manycompany","RuleId": "onebook","Status": "fewsleep","Timestamp": 1751371830,"TreeID": "itsbody"}} +{"metadata": {"customerIDString": "stormyweek","offset": 1178256658,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "onescooter","State": "closed","FineScore": 6.661966415825172,"LateralMovement": 0,"IncidentType": 2,"IncidentID": "hereleggings","HostID": "whereteam","LMHostIDs": ["Diabolicalbasket"],"UserId": "whosehat"}} +{"metadata": {"customerIDString": "whichadvice","offset": -1321765314,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "howhand","UserIp": "24.249.233.17","OperationName": "revokeCustomerSubscriptions","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "everyonefun","ValueString": "fewbucket"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "thoseperson"}}} +{"metadata": {"customerIDString": "Greeklibrary","offset": -1336259380,"eventType": "RemoteResponseSessionStartEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SessionId": "hisbale","HostnameField": "nobodyclump","UserName": "Honduranman","StartTimestamp": 1582830734,"AgentIdString": "enough ofshorts"}} +{"metadata": {"customerIDString": "Intelligentbattery","offset": -1299002360,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "thoseteam","DetectName": "theretroop","DetectDescription": "ship publicity grandmother food cello love cleverness week scold bill group window caravan packet ship tunnel damage cluster warmth vehicle leap group thesefood","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/yourtalent?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 7,"SeverityName": "Informational","Tactic": "thesepicture","Technique": "heavilydesk","Objective": "Elizabethanyouth","SourceAccountDomain": "eachline","SourceAccountName": "hurtgenetics","SourceAccountObjectSid": "happysedge","SourceEndpointAccountObjectGuid": "arrogantcare","SourceEndpointAccountObjectSid": "youroven","SourceEndpointHostName": "thereman","SourceEndpointIpAddress": "177.220.103.253","SourceEndpointSensorId": "Bahamianbrace","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "a littleimagination","PatternId": -2212633}} +{"metadata": {"customerIDString": "substantialstring","offset": -1609727149,"eventType": "XdrDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"Author": "someoneoutfit","DataDomains": "Endpoint","Description": "table bag person goal blender problem world exaltation muster carpet confusion loss day horror neithercandle","DetectId": "foolishbale","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "218.24.83.17","HostNames": "openregiment","Name": "whichwildlife","PatternId": -201104283,"Severity": 98,"SourceProducts": "lightperson","SourceVendors": "neithermurder","StartTimeEpoch": 1643317697728000000,"TacticIds": "histroop","Tactics": "bluetrip","TechniqueIds": "howcheeks","Techniques": "ourunemployment","XdrType": "xdr" } }} +{"metadata": {"customerIDString": "heavycloud","offset": 868105962,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "over theremilk","IncidentDescription": "slavery government host choker shower bunch company regiment stand whichyard","Severity": 16,"SeverityName": "Low","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "improvisedgossip","UserName": "somebodycackle","EndpointName": "Afghandynasty","EndpointIp": "41.168.27.245","Category": "Detections","NumbersOfAlerts": 1873325904,"NumberOfCompromisedEntities": -1046634522,"State": "IN_PROGRESS","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Greekenvy?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "over theregovernment","offset": -1380987013,"eventType": "ScheduledReportNotificationEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserUUID": "significantbravery","UserID": "Brazilianbale","ExecutionID": "cleverclass","ReportID": "cleanmovement","ReportName": "Machiavellianweather","ReportType": "theirvest","ReportFileReference": "Sammarineseweek","Status": "whereschool","StatusMessage": "herebasket","ExecutionMetadata": {"ExecutionStart": 1277318902,"ExecutionDuration": 791041518,"ReportFileName": "somebodytroupe","ResultCount": 1109023433,"ResultID": "over therecollection","SearchWindowStart": 1830057893,"SearchWindowEnd": 485142157}}} +{"metadata": {"customerIDString": "helpfulblock","offset": -1146299184,"eventType": "EppDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AgentId": "severalday","AggregateId": "xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725","CommandLine": "C:\\Windows\\couplecinema","CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DataDomains": "IoT","Description": "bird shower tribe gas station block stairs zebra patience invention stand mybouquet","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whypeace?_cid=xxxxxxx","FileName": "muddyrange","FilePath": "hundredseye\\muddyrange","FilesAccessed": [{"FileName": "muddyrange","FilePath": "hundredseye\\muddyrange","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "muddyrange","FilePath": "hundredseye\\muddyrange","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\anythingfashion","GrandParentImageFileName": "itsbeach","GrandParentImageFilePath": "itpack\\itsbeach","HostGroups": "over theregun","Hostname": "hisadult","LocalIP": "98.65.93.34","LocalIPv6": "103.114.225.5","LogonDomain": "Balinesecovey","MACAddress": "ba-xx-00-xx-d0-00","MD5String": "Barcelonianboat","Name": "thatdelay","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": -1626519218,"ConnectionDirection": 1,"IsIPV6": true,"LocalAddress": "59.176.64.182","LocalPort": 87240,"Protocol": "itscoldness","RemoteAddress": "237.220.236.246","RemotePort": 58766}],"Objective": "whatchild","ParentCommandLine": "C:\\Windows\\terribleplace\\neithertime","ParentImageFileName": "neithertime","ParentImageFilePath": "numerousbrace\\neithertime","ParentProcessId": -1069921836,"PatternDispositionDescription": "board host pod nose crowd club envy sand growth help day week crowd way vest eye forest team computer divorce game whosecalm","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": false,"BootupSafeguardEnabled": true,"ContainmentFileSystem": true,"CriticalProcessDisabled": false,"Detect": false,"FsOperationBlocked": false,"HandleOperationDowngraded": false,"InddetMask": true,"Indicator": true,"KillActionFailed": false,"KillParent": true,"KillProcess": false,"KillSubProcess": false,"OperationBlocked": false,"PolicyDisabled": false,"ProcessBlocked": true,"QuarantineFile": true,"QuarantineMachine": false,"RegistryOperationBlocked": true,"Rooting": false,"SensorOnly": false,"SuspendParent": false,"SuspendProcess": false},"PatternDispositionValue": -1278685248,"PatternId": 1360594552,"PlatformId": "thoseocean","PlatformName": "Linux","ProcessEndTime": 961474645,"ProcessId": -884132110,"ProcessStartTime": -505508776,"ReferrerUrl": "thesepunctuation","SHA1String": "thatposse","SHA256String": "herechild","Severity": 73,"SeverityName": "Critical","SourceProducts": "troublingmob","SourceVendors": "Koreanregiment","Tactic": "hergoodness","Technique": "theirline","Type": "ofp","UserName": "fraildisregard"}} +{"metadata": {"customerIDString": "whyhumour","offset": -1741697306,"eventType": "CSPMIOAStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "ournose","PolicyId": -958451065,"PolicyStatement": "Vietnamesetroop","CloudProvider": "thesemurder","CloudService": "mypart","Severity": 31,"SeverityName": "Low","EventAction": "ourcourage","EventSource": "thathost","EventCreatedTimestamp": 1663011160,"UserId": "howleap","UserName": "Russianrice","UserSourceIp": "121.5.115.211","Tactic": "nobodydisregard","Technique": "eachyouth"}} +{"metadata": {"customerIDString": "whathand","offset": 1933866810,"eventType": "IdentityProtectionEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentType": "ourlife","IncidentDescription": "juice board dolphin hishail","Severity": 26,"SeverityName": "Medium","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "whatfear","UserName": "doublegold","EndpointName": "ourbike","EndpointIp": "59.247.68.51","Category": "Incidents","NumbersOfAlerts": 943590548,"NumberOfCompromisedEntities": -281856154,"State": "NEW","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/whatclothing?_cid=xxxxxxx"}} +{"metadata": {"customerIDString": "Jungianwork","offset": -1789365447,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "impossibletown","DetectName": "thoseworld","DetectDescription": "posse failure purse flock work stand pride mustering sheaf island pollution troop jealousy sand school wood company governor juice whereschool","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/numerouscash?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 40,"SeverityName": "Critical","Tactic": "nobodygrowth","Technique": "manygame","Objective": "franticquiver","SourceAccountDomain": "oddbunch","SourceAccountName": "franticparty","SourceAccountObjectSid": "whichcompany","SourceEndpointAccountObjectGuid": "everythingcrowd","SourceEndpointAccountObjectSid": "herehost","SourceEndpointHostName": "itsoutfit","SourceEndpointIpAddress": "161.46.200.9","SourceEndpointSensorId": "oneposse","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "Diabolicalvest","PatternId": -30748192}} +{"metadata": {"customerIDString": "Senegalesepeace","offset": 1534643744,"eventType": "UserActivityAuditEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"UserId": "herecurrency","UserIp": "45.126.100.46","OperationName": "activateUser","ServiceName": "Crowdstrike Streaming API","AuditKeyValues": [{"Key": "anythingoutfit","ValueString": "singledollar"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "muchalbum"}}} +{"metadata": {"customerIDString": "whosebus","offset": 1439241484,"eventType": "IdpDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ContextTimeStamp": 133984620360000000,"CompositeId": "xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104","DetectId": "someonetribe","DetectName": "anygenetics","DetectDescription": "shoulder motherhood bunch kindness church team company fact team patrol thing Laotianoxygen","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Rooseveltiantolerance?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": 82,"SeverityName": "Informational","Tactic": "wherespeed","Technique": "hisscold","Objective": "whichwad","SourceAccountDomain": "abundantdeer","SourceAccountName": "thosehatred","SourceAccountObjectSid": "howgovernment","SourceEndpointAccountObjectGuid": "annoyingcandy","SourceEndpointAccountObjectSid": "whichplace","SourceEndpointHostName": "eitherday","SourceEndpointIpAddress": "154.34.176.197","SourceEndpointSensorId": "greatbra","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "Uzbekgoal","PatternId": 1496321780}} +{"metadata": {"customerIDString": "thismotivation","offset": -326727255,"eventType": "MobileDetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"SensorId": "scaryunderstanding","MobileDetectionId": 1666589603,"ComputerName": "ourfriend","UserName": "ourcompany","ContextTimeStamp": 1649061056,"DetectId": "Norwegianeducation","DetectName": "Sudaneseeye","DetectDescription": "horror wisdom labour pack bale sheaf bale freedom stand charmingshower","Tactic": "onecare","TacticId": "somebodycackle","Technique": "youngteam","TechniqueId": "Koreanhall","Objective": "wherekindness","Severity": 17,"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/oneleap?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "anyteam","AndroidAppLabel": "Danishhen","DexFileHashes": "everysandwich","ImageFileName": "ourpack","AppInstallerInformation": "proudjewelry","IsBeingDebugged": false,"AndroidAppVersionName": "itsexaltation","IsContainerized": true}]}} +{"metadata": {"customerIDString": "hisyear","offset": -1448767478,"eventType": "DetectionSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"ProcessStartTime": -980864626,"ProcessEndTime": -1044321077,"ProcessId": -294277730,"ParentProcessId": -1876307779,"ComputerName": "anypart","UserName": "manyproblem","DetectName": "a little bitmustering","DetectDescription": "problem whosebox","Severity": 0,"SeverityName": "Medium","FileName": "itshark","FilePath": "alldesigner\\itshark","CommandLine": "C:\\Windows\\mycrowd","SHA256String": "thosebouquet","MD5String": "everybodycatalog","SHA1String": "whosehand","MachineDomain": "thatworld","NetworkAccesses": [{"AccessType": 2121345305,"AccessTimestamp": 1751371565,"Protocol": "herfreedom","LocalAddress": "182.180.225.250","LocalPort": 22243,"RemoteAddress": "136.53.227.144","RemotePort": 24308,"ConnectionDirection": 1,"IsIPV6": false}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/Barcelonianbrother?_cid=xxxxxxx","SensorId": "hercrew","IOCType": "filename","IOCValue": "blackcloud","DetectId": "itinnocence","LocalIP": "106.206.227.215","MACAddress": "ba-xx-00-xx-d0-00","Tactic": "Russianpair","Technique": "theregold","Objective": "Buddhistriches","PatternDispositionDescription": "patience mob cast dishonesty packet gun sedge troop plate confusion problem party dream party union over therehorde","PatternDispositionValue": -74895917,"PatternDispositionFlags": {"Indicator": true,"Detect": true,"InddetMask": false,"SensorOnly": true,"Rooting": true,"KillProcess": true,"KillSubProcess": true,"QuarantineMachine": false,"QuarantineFile": true,"PolicyDisabled": true,"KillParent": false,"OperationBlocked": true,"ProcessBlocked": false,"RegistryOperationBlocked": true,"CriticalProcessDisabled": false,"BootupSafeguardEnabled": true,"FsOperationBlocked": true,"HandleOperationDowngraded": false,"KillActionFailed": false,"BlockingUnsupportedOrDisabled": false,"SuspendProcess": true,"SuspendParent": false},"ParentImageFileName": "Frenchleap","ParentCommandLine": "nobodyturtle","GrandparentImageFileName": "theirassistance","GrandparentCommandLine": "Koreanhost","HostGroups": "a lotwisp","AssociatedFile": "mycase","PatternId": 2106182774}} +{"metadata": {"customerIDString": "thosetribe","offset": 2044247197,"eventType": "IncidentSummaryEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "giftedbowl","State": "closed","FineScore": 6.2033996796056305,"LateralMovement": 1,"IncidentType": 1,"IncidentID": "mostwashing machine","HostID": "everysuccess","LMHostIDs": ["somebodymustering"],"UserId": "thereedge"}} +{"metadata": {"customerIDString": "Einsteiniancluster","offset": -1951395340,"eventType": "CSPMSearchStreamingEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"AccountId": "Alpinegroup","Region": "us-west-2","ResourceId": "thisnature","ResourceIdType": "severalidea","ResourceName": "whatyear","ResourceCreateTime": 0,"PolicyStatement": "itstupidity","PolicyId": 2086215561,"Severity": 52,"SeverityName": "Low","CloudPlatform": "onehomework","CloudService": "whynews","Disposition": "Failed","ResourceUrl": "somebodybale","Finding": "hundrednoun","Tags": [{"Key": "brighttrust","ValueString": "Indonesianlibrary"}],"ReportUrl": "emptycheese","Timestamp": 1751371830}} +{"metadata": {"customerIDString": "lightpride","offset": 864928643,"eventType": "FirewallMatchEvent","eventCreationTime": 1686845212400,"version": "1.0"},"event": {"DeviceId": "theirthought","CustomerId": "whosechild","Ipv": "176.54.115.87","CommandLine": "whosehelp","ConnectionDirection": "2","EventType": "FirewallRuleIP6Matched","Flags": {"Audit": false,"Log": false,"Monitor": true},"HostName": "Swazifashion","ICMPCode": "hereparty","ICMPType": "amusedclump","ImageFileName": "thosegroup","LocalAddress": "192.163.185.149","LocalPort": "79090","MatchCount": -349549757,"MatchCountSinceLastReport": -2121487243,"NetworkProfile": "whoseclock","PID": "-60059955","PolicyName": "somebodyelegance","PolicyID": "stormyfact","Protocol": "whybook","RemoteAddress": "208.54.63.162","RemotePort": "18860","RuleAction": "cooperativecrew","RuleDescription": "anthology brilliance finger time point exaltation life man muster fleet hereorchard","RuleFamilyID": "theircatalog","RuleGroupName": "therehand","RuleName": "everypath","RuleId": "everybodyarmy","Status": "whichcloud","Timestamp": 1751371830,"TreeID": "over therewashing machine"}} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/main.tf b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/main.tf new file mode 100644 index 0000000000..48d10519f0 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/main.tf @@ -0,0 +1,5 @@ +resource "local_file" "benchmark_log" { + source = "./files/sample.log" + filename = "/tmp/service_logs/tf-benchmark-${var.TEST_RUN_ID}.log" + file_permission = "0777" +} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/variables.tf b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/variables.tf new file mode 100644 index 0000000000..32d90dee64 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/deploy/tf/variables.tf @@ -0,0 +1,26 @@ +variable "BRANCH" { + description = "Branch name or pull request for tagging purposes" + default = "unknown-branch" +} + +variable "BUILD_ID" { + description = "Build ID in the CI for tagging purposes" + default = "unknown-build" +} + +variable "CREATED_DATE" { + description = "Creation date in epoch time for tagging purposes" + default = "unknown-date" +} + +variable "ENVIRONMENT" { + default = "unknown-environment" +} + +variable "REPO" { + default = "unknown-repo-name" +} + +variable "TEST_RUN_ID" { + default = "detached" +} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark.yml new file mode 100644 index 0000000000..9b4c016deb --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark.yml @@ -0,0 +1,22 @@ +--- +description: Benchmark 1000 falcon events ingested +input: logfile +deployer: tf +data_stream: + name: falcon + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/tf-benchmark-{{TEST_RUN_ID}}.log" +warmup_time_period: 2s +corpora: + input_service: + name: crowdstrike + generator: + total_events: 1000 + template: + path: ./falcon-benchmark/template.ndjson + type: gotext + config: + path: ./falcon-benchmark/config.yml + fields: + path: ./falcon-benchmark/fields.yml diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/config.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/config.yml new file mode 100644 index 0000000000..9bb3180c7d --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/config.yml @@ -0,0 +1,203 @@ +fields: +# metadata + - name: metadata.eventType + enum: + - DetectionSummaryEvent + - EppDetectionSummaryEvent + - MobileDetectionSummaryEvent + - IncidentSummaryEvent + - XdrDetectionSummaryEvent + - IdpDetectionSummaryEvent + - ReconNotificationSummaryEvent + - IdentityProtectionEvent + - CSPMIOAStreamingEvent + - CSPMSearchStreamingEvent + - UserActivityAuditEvent + - AuthActivityAuditEvent + - FirewallMatchEvent + - RemoteResponseSessionStartEvent + - ScheduledReportNotificationEvent + - name: metadata.customerIDString + cardinality: 100000 + - name: metadata.offset + cardinality: 100000 + - name: timestamp + period: -24h + +# XdrDetectionSummaryEvent + - name: XdrType + enum: + - xdr + - xdr-scheduled-search + +# ReconNotificationSummaryEvent + - name: ItemType + enum: + - CS + - 6G + - 6G_EXTERNAL + - LEGACY_TI + - BREACH_6G + - SCRAPPY + - TYPOSQUATTING + +# MobileDetectionSummaryEvent + - name: DetectId + cardinality: 100000 + +# CSPM + - name: Region + enum: + - us-west-1 + - us-west-2 + - us-east-1 + - us-east-2 + - name: Disposition + enum: + - Failed + - Passed + +# IncidentSummaryEvent + - name: IncidentState + enum: + - open + - closed + - name: FineScore + range: + min: 0.1 + max: 10 + - name: LateralMovement + range: + min: 0 + max: 1 + - name: IncidentType + range: + min: 1 + max: 2 +# AuthActivityAuditEvent + - name: OperationName + enum: + - activateUser + - changePassword + - confirmResetPassword + - createUser + - deactivateUser + - deleteUser + - grantUserRoles + - grantCustomerSubscriptions + - requestResetPassword + - resetAuthSecret + - revokeUserRoles + - revokeCustomerSubscriptions + - selfAcceptEula + - twoFactorAuthenticate + - updateUser + - updateUserRoles + - userAuthenticate + - name: ServiceName + enum: + - Crowdstrike Streaming API + - detections +# IdentityProtectionEvent + - name: Category + enum: + - Detections + - Incidents + - name: State + enum: + - NEW + - IN_PROGRESS + - DISMISS + - RESOLVED + - AUTO_RESOLVED + +# FirewallMatchEvent + - name: DeviceId + cardinality: 100000 + - name: EventType + enum: + - FirewallRuleIP4Matched + - FirewallRuleIP6Matched + - FirewallRuleApplicationFailed + +# DetectionSummaryEvent + - name: ComputerName + cardinality: 10000 + - name: IOCType + enum: + - domain + - filename + - hash_md5 + - hash_sha256 + - registry_key + - command_line + - behavior + +# EppDetectionSummaryEvent + - name: AgentId + cardinality: 100000 + - name: AggregateId + value: xxxxxx:529fb8e5xxxxxxxx5d577e3f:38655211725 + - name: CompositeId + value: xxxxxxxx:ind:529fb8e5xxxxxxxx5d577e3f:41104 + - name: DataDomains + enum: + - Identity + - Web + - Network + - Email + - Endpoint + - Cloud + - IoT + - name: FileName + cardinality: 100000 + - name: HostGroups + cardinality: 10000 + - name: Hostname + cardinality: 100000 + - name: MACAddress + value: ba-xx-00-xx-d0-00 + - name: MD5String + cardinality: 100000 + - name: NetworkAccesses.ConnectionDirection + range: + min: 0 + max: 2 + - name: NetworkAccesses.LocalPort + range: + min: 10 + max: 90000 + - name: NetworkAccesses.RemotePort + range: + min: 10 + max: 90000 + - name: NetworkAccesses.Protocol + enum: + - TCP + - UDP + - name: PlatformName + enum: + - Windows + - Linux + - Mac + - name: Severity + range: + min: 0 + max: 100 + - name: DetectionSeverity + range: + min: 0 + max: 5 + - name: SeverityName + enum: + - Informational + - Low + - Medium + - High + - Critical + - name: Type + enum: + - ldt + - ofp + - name: UserName + cardinality: 10000 diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/fields.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/fields.yml new file mode 100644 index 0000000000..4f8c2d7ddc --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/fields.yml @@ -0,0 +1,469 @@ +- name: metadata + type: group + fields: + - name: eventType + type: keyword + - name: customerIDString + type: keyword + - name: offset + type: integer +- name: AgentId + type: keyword +- name: AggregateId + type: keyword +- name: CommandLine + type: keyword +- name: CompositeId + type: keyword +- name: DataDomains + type: keyword +- name: Description + type: text +- name: FalconHostLink + type: keyword +- name: FileName + type: keyword +- name: FilePath + type: keyword +- name: GrandParentCommandLine + type: keyword +- name: GrandParentImageFileName + type: keyword +- name: GrandParentImageFilePath + type: keyword +- name: HostGroups + type: keyword +- name: Hostname + type: keyword +- name: LocalIP + type: ip +- name: LocalIPv6 + type: ip +- name: LogonDomain + type: keyword +- name: MACAddress + type: keyword +- name: MD5String + type: keyword +- name: Name + type: keyword +- name: NetworkAccesses + type: group + fields: + - name: AccessType + type: integer + - name: ConnectionDirection + type: integer + - name: IsIPV6 + type: boolean + - name: LocalAddress + type: ip + - name: LocalPort + type: integer + - name: Protocol + type: keyword + - name: RemoteAddress + type: ip + - name: RemotePort + type: integer +- name: Objective + type: keyword +- name: ParentCommandLine + type: keyword +- name: ParentImageFileName + type: keyword +- name: ParentImageFilePath + type: keyword +- name: ParentProcessId + type: integer +- name: PatternDispositionDescription + type: text +- name: PatternDispositionFlags + type: group + fields: + - name: BlockingUnsupportedOrDisabled + type: boolean + - name: BootupSafeguardEnabled + type: boolean + - name: ContainmentFileSystem + type: boolean + - name: CriticalProcessDisabled + type: boolean + - name: Detect + type: boolean + - name: FsOperationBlocked + type: boolean + - name: HandleOperationDowngraded + type: boolean + - name: InddetMask + type: boolean + - name: Indicator + type: boolean + - name: KillActionFailed + type: boolean + - name: KillParent + type: boolean + - name: KillProcess + type: boolean + - name: KillSubProcess + type: boolean + - name: OperationBlocked + type: boolean + - name: PolicyDisabled + type: boolean + - name: ProcessBlocked + type: boolean + - name: QuarantineFile + type: boolean + - name: QuarantineMachine + type: boolean + - name: RegistryOperationBlocked + type: boolean + - name: Rooting + type: boolean + - name: SensorOnly + type: boolean + - name: SuspendParent + type: boolean + - name: SuspendProcess + type: boolean +- name: PatternDispositionValue + type: integer +- name: PatternId + type: integer +- name: PlatformId + type: keyword +- name: PlatformName + type: keyword +- name: ProcessEndTime + type: integer +- name: ProcessId + type: integer +- name: ProcessStartTime + type: integer +- name: ReferrerUrl + type: keyword +- name: SHA1String + type: keyword +- name: SHA256String + type: keyword +- name: Severity + type: integer +- name: DetectionSeverity + type: integer +- name: SeverityName + type: keyword +- name: SourceProducts + type: keyword +- name: SourceVendors + type: keyword +- name: Tactic + type: keyword +- name: Technique + type: keyword +- name: Type + type: keyword +- name: UserName + type: keyword +- name: ComputerName + type: keyword +- name: DetectName + type: keyword +- name: DetectDescription + type: text +- name: MachineDomain + type: keyword +- name: SensorId + type: keyword +- name: IOCType + type: keyword +- name: IOCValue + type: keyword +- name: DetectId + type: keyword +- name: GrandparentImageFileName + type: keyword +- name: GrandparentCommandLine + type: keyword +- name: AssociatedFile + type: keyword +- name: DeviceId + type: keyword +- name: CustomerId + type: keyword +- name: Ipv + type: ip +- name: EventType + type: keyword +- name: Flags + type: group + fields: + - name: Audit + type: boolean + - name: Log + type: boolean + - name: Monitor + type: boolean +- name: HostName + type: keyword +- name: ICMPCode + type: keyword +- name: ICMPType + type: keyword +- name: ImageFileName + type: keyword +- name: MatchCount + type: integer +- name: MatchCountSinceLastReport + type: integer +- name: NetworkProfile + type: keyword +- name: PID + type: integer +- name: PolicyName + type: keyword +- name: PolicyID + type: keyword +- name: Protocol + type: keyword +- name: RuleAction + type: keyword +- name: RuleDescription + type: text +- name: RuleFamilyID + type: keyword +- name: RuleGroupName + type: keyword +- name: RuleName + type: keyword +- name: RuleId + type: keyword +- name: Status + type: keyword +- name: TreeID + type: keyword +- name: SourceAccountDomain + type: keyword +- name: SourceAccountName + type: keyword +- name: SourceAccountObjectSid + type: keyword +- name: SourceEndpointAccountObjectGuid + type: keyword +- name: SourceEndpointAccountObjectSid + type: keyword +- name: SourceEndpointHostName + type: keyword +- name: SourceEndpointIpAddress + type: ip +- name: SourceEndpointSensorId + type: keyword +- name: ActivityId + type: keyword +- name: IncidentType + type: integer +- name: IdpIncidentType + type: keyword +- name: IncidentDescription + type: text +- name: IdentityProtectionIncidentId + type: keyword +- name: EndpointName + type: keyword +- name: EndpointIp + type: ip +- name: Category + type: keyword +- name: NumbersOfAlerts + type: integer +- name: NumberOfCompromisedEntities + type: integer +- name: State + type: keyword +- name: IncidentState + type: keyword +- name: UserId + type: keyword +- name: UserIp + type: ip +- name: OperationName + type: keyword +- name: ServiceName + type: keyword +- name: Success + type: boolean +- name: AuditKeyValues + type: group + fields: + - name: Key + type: keyword + - name: ValueString + type: keyword +- name: Attributes + type: group + fields: + - name: actor_cid + type: keyword + - name: actor_user + type: keyword + - name: actor_user_uuid + type: keyword + - name: app_id + type: keyword + - name: detection_id + type: keyword + - name: saml_assertion + type: keyword + - name: target_user + type: keyword + - name: trace_id + type: keyword +- name: UserUUID + type: keyword +- name: UserID + type: keyword +- name: ExecutionID + type: keyword +- name: ReportID + type: keyword +- name: ReportName + type: keyword +- name: ReportType + type: keyword +- name: ReportFileReference + type: keyword +- name: StatusMessage + type: keyword +- name: ExecutionMetadata + type: group + fields: + - name: ExecutionStart + type: integer + - name: ExecutionDuration + type: integer + - name: ReportFileName + type: keyword + - name: ResultCount + type: integer + - name: ResultID + type: keyword + - name: SearchWindowStart + type: integer + - name: SearchWindowEnd + type: integer +- name: SessionId + type: keyword +- name: HostnameField + type: keyword +- name: AgentIdString + type: keyword +- name: FineScore + type: float +- name: LateralMovement + type: integer +- name: IncidentID + type: keyword +- name: HostID + type: keyword +- name: LMHostIDs + type: keyword +- name: AccountId + type: keyword +- name: PolicyId + type: integer +- name: PolicyStatement + type: keyword +- name: CloudProvider + type: keyword +- name: CloudService + type: keyword +- name: EventAction + type: keyword +- name: EventSource + type: keyword +- name: UserSourceIp + type: ip +- name: Region + type: keyword +- name: ResourceId + type: keyword +- name: ResourceIdType + type: keyword +- name: ResourceName + type: keyword +- name: ResourceCreateTime + type: integer +- name: CloudPlatform + type: keyword +- name: Disposition + type: keyword +- name: ResourceUrl + type: keyword +- name: Finding + type: keyword +- name: ResourceAttributes + type: keyword +- name: Tags + type: group + fields: + - name: Key + type: keyword + - name: ValueString + type: keyword +- name: ReportUrl + type: keyword +- name: MobileDetectionId + type: integer +- name: TacticId + type: keyword +- name: TechniqueId + type: keyword +- name: MobileAppsDetails + type: group + fields: + - name: AppIdentifier + type: keyword + - name: AndroidAppLabel + type: keyword + - name: DexFileHashes + type: keyword + - name: ImageFileName + type: keyword + - name: AppInstallerInformation + type: keyword + - name: IsBeingDebugged + type: boolean + - name: AndroidAppVersionName + type: keyword + - name: IsContainerized + type: boolean +- name: NotificationId + type: keyword +- name: Highlights + type: keyword +- name: RuleTopic + type: keyword +- name: RulePriority + type: keyword +- name: ItemId + type: keyword +- name: ItemType + type: keyword +- name: Author + type: keyword +- name: IPv4Addresses + type: ip +- name: HostNames + type: keyword +- name: timestamp + type: date +- name: TacticIds + type: keyword +- name: Tactics + type: keyword +- name: TechniqueIds + type: keyword +- name: Techniques + type: keyword +- name: XdrType + type: keyword diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/template.ndjson b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/template.ndjson new file mode 100644 index 0000000000..e08451d32e --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/benchmark/system/falcon-benchmark/template.ndjson @@ -0,0 +1,220 @@ +{{- $AgentId := generate "AgentId" }} +{{- $AggregateId := generate "AggregateId" }} +{{- $CommandLine := generate "CommandLine" }} +{{- $CompositeId := generate "CompositeId" }} +{{- $DataDomains := generate "DataDomains" }} +{{- $Description := generate "Description" }} +{{- $FalconHostLink := generate "FalconHostLink" }} +{{- $FileName := generate "FileName" }} +{{- $FilePath := generate "FilePath" }} +{{- $GrandParentCommandLine := generate "GrandParentCommandLine" }} +{{- $GrandParentImageFileName := generate "GrandParentImageFileName" }} +{{- $GrandParentImageFilePath := generate "GrandParentImageFilePath" }} +{{- $HostGroups := generate "HostGroups" }} +{{- $Hostname := generate "Hostname" }} +{{- $LocalIP := generate "LocalIP" }} +{{- $LocalIPv6 := generate "LocalIPv6" }} +{{- $LogonDomain := generate "LogonDomain" }} +{{- $MACAddress := generate "MACAddress" }} +{{- $MD5String := generate "MD5String" }} +{{- $Name := generate "Name" }} +{{- $AccessType := generate "NetworkAccesses.AccessType" }} +{{- $ConnectionDirection := generate "NetworkAccesses.ConnectionDirection" }} +{{- $IsIPV6 := generate "NetworkAccesses.IsIPV6" }} +{{- $LocalAddress := generate "NetworkAccesses.LocalAddress" }} +{{- $LocalPort := generate "NetworkAccesses.LocalPort" }} +{{- $Protocol := generate "NetworkAccesses.Protocol" }} +{{- $RemoteAddress := generate "NetworkAccesses.RemoteAddress" }} +{{- $RemotePort := generate "NetworkAccesses.RemotePort" }} +{{- $Objective := generate "Objective" }} +{{- $ParentCommandLine := generate "ParentCommandLine" }} +{{- $ParentImageFileName := generate "ParentImageFileName" }} +{{- $ParentImageFilePath := generate "ParentImageFilePath" }} +{{- $ParentProcessId := generate "ParentProcessId" }} +{{- $PatternDispositionDescription := generate "PatternDispositionDescription" }} +{{- $BlockingUnsupportedOrDisabled := generate "PatternDispositionFlags.BlockingUnsupportedOrDisabled" }} +{{- $BootupSafeguardEnabled := generate "PatternDispositionFlags.BootupSafeguardEnabled" }} +{{- $ContainmentFileSystem := generate "PatternDispositionFlags.ContainmentFileSystem" }} +{{- $CriticalProcessDisabled := generate "PatternDispositionFlags.CriticalProcessDisabled" }} +{{- $Detect := generate "PatternDispositionFlags.Detect" }} +{{- $FsOperationBlocked := generate "PatternDispositionFlags.FsOperationBlocked" }} +{{- $HandleOperationDowngraded := generate "PatternDispositionFlags.HandleOperationDowngraded" }} +{{- $InddetMask := generate "PatternDispositionFlags.InddetMask" }} +{{- $Indicator := generate "PatternDispositionFlags.Indicator" }} +{{- $KillActionFailed := generate "PatternDispositionFlags.KillActionFailed" }} +{{- $KillParent := generate "PatternDispositionFlags.KillParent" }} +{{- $KillProcess := generate "PatternDispositionFlags.KillProcess" }} +{{- $KillSubProcess := generate "PatternDispositionFlags.KillSubProcess" }} +{{- $OperationBlocked := generate "PatternDispositionFlags.OperationBlocked" }} +{{- $PolicyDisabled := generate "PatternDispositionFlags.PolicyDisabled" }} +{{- $ProcessBlocked := generate "PatternDispositionFlags.ProcessBlocked" }} +{{- $QuarantineFile := generate "PatternDispositionFlags.QuarantineFile" }} +{{- $QuarantineMachine := generate "PatternDispositionFlags.QuarantineMachine" }} +{{- $RegistryOperationBlocked := generate "PatternDispositionFlags.RegistryOperationBlocked" }} +{{- $Rooting := generate "PatternDispositionFlags.Rooting" }} +{{- $SensorOnly := generate "PatternDispositionFlags.SensorOnly" }} +{{- $SuspendParent := generate "PatternDispositionFlags.SuspendParent" }} +{{- $SuspendProcess := generate "PatternDispositionFlags.SuspendProcess" }} +{{- $PatternDispositionValue := generate "PatternDispositionValue" }} +{{- $PatternId := generate "PatternId" }} +{{- $PlatformId := generate "PlatformId" }} +{{- $PlatformName := generate "PlatformName" }} +{{- $ProcessEndTime := generate "ProcessEndTime" }} +{{- $ProcessId := generate "ProcessId" }} +{{- $ProcessStartTime := generate "ProcessStartTime" }} +{{- $ReferrerUrl := generate "ReferrerUrl" }} +{{- $SHA1String := generate "SHA1String" }} +{{- $SHA256String := generate "SHA256String" }} +{{- $Severity := generate "Severity" }} +{{- $DetectionSeverity := generate "DetectionSeverity" }} +{{- $SeverityName := generate "SeverityName" }} +{{- $SourceProducts := generate "SourceProducts" }} +{{- $SourceVendors := generate "SourceVendors" }} +{{- $Tactic := generate "Tactic" }} +{{- $Technique := generate "Technique" }} +{{- $Type := generate "Type" }} +{{- $UserName := generate "UserName" }} +{{- $ComputerName := generate "ComputerName" }} +{{- $DetectName := generate "DetectName" }} +{{- $DetectDescription := generate "DetectDescription" }} +{{- $MachineDomain := generate "MachineDomain" }} +{{- $SensorId := generate "SensorId" }} +{{- $IOCType := generate "IOCType" }} +{{- $IOCValue := generate "IOCValue" }} +{{- $DetectId := generate "DetectId" }} +{{- $GrandparentImageFileName := generate "GrandparentImageFileName" }} +{{- $GrandparentCommandLine := generate "GrandparentCommandLine" }} +{{- $AssociatedFile := generate "AssociatedFile" }} +{{- $DeviceId := generate "DeviceId" }} +{{- $CustomerId := generate "CustomerId" }} +{{- $Ipv := generate "Ipv" }} +{{- $EventType := generate "EventType" }} +{{- $Audit := generate "Flags.Audit" }} +{{- $Log := generate "Flags.Log" }} +{{- $Monitor := generate "Flags.Monitor" }} +{{- $HostName := generate "HostName" }} +{{- $ICMPCode := generate "ICMPCode" }} +{{- $ICMPType := generate "ICMPType" }} +{{- $ImageFileName := generate "ImageFileName" }} +{{- $MatchCount := generate "MatchCount" }} +{{- $MatchCountSinceLastReport := generate "MatchCountSinceLastReport" }} +{{- $NetworkProfile := generate "NetworkProfile" }} +{{- $PID := generate "PID" }} +{{- $PolicyName := generate "PolicyName" }} +{{- $PolicyID := generate "PolicyID" }} +{{- $Protocol := generate "Protocol" }} +{{- $RuleAction := generate "RuleAction" }} +{{- $RuleDescription := generate "RuleDescription" }} +{{- $RuleFamilyID := generate "RuleFamilyID" }} +{{- $RuleGroupName := generate "RuleGroupName" }} +{{- $RuleName := generate "RuleName" }} +{{- $RuleId := generate "RuleId" }} +{{- $Status := generate "Status" }} +{{- $TreeID := generate "TreeID" }} +{{- $SourceAccountDomain := generate "SourceAccountDomain" }} +{{- $SourceAccountName := generate "SourceAccountName" }} +{{- $SourceAccountObjectSid := generate "SourceAccountObjectSid" }} +{{- $SourceEndpointAccountObjectGuid := generate "SourceEndpointAccountObjectGuid" }} +{{- $SourceEndpointAccountObjectSid := generate "SourceEndpointAccountObjectSid" }} +{{- $SourceEndpointHostName := generate "SourceEndpointHostName" }} +{{- $SourceEndpointIpAddress := generate "SourceEndpointIpAddress" }} +{{- $SourceEndpointSensorId := generate "SourceEndpointSensorId" }} +{{- $ActivityId := generate "ActivityId" }} +{{- $IncidentType := generate "IncidentType" }} +{{- $IdpIncidentType := generate "IdpIncidentType" }} +{{- $IncidentDescription := generate "IncidentDescription" }} +{{- $IdentityProtectionIncidentId := generate "IdentityProtectionIncidentId" }} +{{- $EndpointName := generate "EndpointName" }} +{{- $EndpointIp := generate "EndpointIp" }} +{{- $Category := generate "Category" }} +{{- $NumbersOfAlerts := generate "NumbersOfAlerts" }} +{{- $NumberOfCompromisedEntities := generate "NumberOfCompromisedEntities" }} +{{- $State := generate "State" }} +{{- $IncidentState := generate "IncidentState" }} +{{- $UserId := generate "UserId" }} +{{- $UserIp := generate "UserIp" }} +{{- $OperationName := generate "OperationName" }} +{{- $ServiceName := generate "ServiceName" }} +{{- $Success := generate "Success" }} +{{- $Key := generate "AuditKeyValues.Key" }} +{{- $ValueString := generate "AuditKeyValues.ValueString" }} +{{- $actor_cid := generate "Attributes.actor_cid" }} +{{- $actor_user := generate "Attributes.actor_user" }} +{{- $actor_user_uuid := generate "Attributes.actor_user_uuid" }} +{{- $app_id := generate "Attributes.app_id" }} +{{- $saml_assertion := generate "Attributes.saml_assertion" }} +{{- $target_user := generate "Attributes.target_user" }} +{{- $trace_id := generate "Attributes.trace_id" }} +{{- $detection_id := generate "Attributes.detection_id" }} +{{- $UserUUID := generate "UserUUID" }} +{{- $UserID := generate "UserID" }} +{{- $ExecutionID := generate "ExecutionID" }} +{{- $ReportID := generate "ReportID" }} +{{- $ReportName := generate "ReportName" }} +{{- $ReportType := generate "ReportType" }} +{{- $ReportFileReference := generate "ReportFileReference" }} +{{- $StatusMessage := generate "StatusMessage" }} +{{- $ExecutionStart := generate "ExecutionMetadata.ExecutionStart" }} +{{- $ExecutionDuration := generate "ExecutionMetadata.ExecutionDuration" }} +{{- $ReportFileName := generate "ExecutionMetadata.ReportFileName" }} +{{- $ResultCount := generate "ExecutionMetadata.ResultCount" }} +{{- $ResultID := generate "ExecutionMetadata.ResultID" }} +{{- $SearchWindowStart := generate "ExecutionMetadata.SearchWindowStart" }} +{{- $SearchWindowEnd := generate "ExecutionMetadata.SearchWindowEnd" }} +{{- $SessionId := generate "SessionId" }} +{{- $HostnameField := generate "HostnameField" }} +{{- $AgentIdString := generate "AgentIdString" }} +{{- $FineScore := generate "FineScore" }} +{{- $LateralMovement := generate "LateralMovement" }} +{{- $IncidentID := generate "IncidentID" }} +{{- $HostID := generate "HostID" }} +{{- $LMHostIDs := generate "LMHostIDs" }} +{{- $AccountId := generate "AccountId" }} +{{- $PolicyId := generate "PolicyId" }} +{{- $PolicyStatement := generate "PolicyStatement" }} +{{- $CloudProvider := generate "CloudProvider" }} +{{- $CloudService := generate "CloudService" }} +{{- $EventAction := generate "EventAction" }} +{{- $EventSource := generate "EventSource" }} +{{- $UserSourceIp := generate "UserSourceIp" }} +{{- $Region := generate "Region" }} +{{- $ResourceId := generate "ResourceId" }} +{{- $ResourceIdType := generate "ResourceIdType" }} +{{- $ResourceName := generate "ResourceName" }} +{{- $ResourceCreateTime := generate "ResourceCreateTime" }} +{{- $CloudPlatform := generate "CloudPlatform" }} +{{- $Disposition := generate "Disposition" }} +{{- $ResourceUrl := generate "ResourceUrl" }} +{{- $Finding := generate "Finding" }} +{{- $Key := generate "Tags.Key" }} +{{- $ValueString := generate "Tags.ValueString" }} +{{- $ReportUrl := generate "ReportUrl" }} +{{- $MobileDetectionId := generate "MobileDetectionId" }} +{{- $TacticId := generate "TacticId" }} +{{- $TechniqueId := generate "TechniqueId" }} +{{- $AppIdentifier := generate "MobileAppsDetails.AppIdentifier" }} +{{- $AndroidAppLabel := generate "MobileAppsDetails.AndroidAppLabel" }} +{{- $DexFileHashes := generate "MobileAppsDetails.DexFileHashes" }} +{{- $ImageFileName := generate "MobileAppsDetails.ImageFileName" }} +{{- $AppInstallerInformation := generate "MobileAppsDetails.AppInstallerInformation" }} +{{- $IsBeingDebugged := generate "MobileAppsDetails.IsBeingDebugged" }} +{{- $AndroidAppVersionName := generate "MobileAppsDetails.AndroidAppVersionName" }} +{{- $IsContainerized := generate "MobileAppsDetails.IsContainerized" }} +{{- $NotificationId := generate "NotificationId" }} +{{- $Highlights := generate "Highlights" }} +{{- $RuleTopic := generate "RuleTopic" }} +{{- $RulePriority := generate "RulePriority" }} +{{- $ItemId := generate "ItemId" }} +{{- $ItemType := generate "ItemType" }} +{{- $Author := generate "Author" }} +{{- $IPv4Addresses := generate "IPv4Addresses" }} +{{- $HostNames := generate "HostNames" }} +{{- $TacticIds := generate "TacticIds" }} +{{- $Tactics := generate "Tactics" }} +{{- $TechniqueIds := generate "TechniqueIds" }} +{{- $Techniques := generate "Techniques" }} +{{- $XdrType := generate "XdrType" }} +{{- $metadata_eventType := generate "metadata.eventType" }} +{{- $metadata_customerIDString := generate "metadata.customerIDString" }} +{{- $metadata_offset := generate "metadata.offset" }} +{"metadata": {"customerIDString": "{{ $metadata_customerIDString }}","offset": {{ $metadata_offset }},"eventType": "{{ $metadata_eventType }}","eventCreationTime": 1686845212400,"version": "1.0"},"event": { {{- if eq $metadata_eventType "EppDetectionSummaryEvent" }}"AgentId": "{{ $AgentId }}","AggregateId": "{{ $AggregateId }}","CommandLine": "C:\\Windows\\{{ $CommandLine }}","CompositeId": "{{ $CompositeId }}","DataDomains": "{{ $DataDomains }}","Description": "{{ $Description }}","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/{{ $FalconHostLink }}?_cid=xxxxxxx","FileName": "{{ $FileName }}","FilePath": "{{ $FilePath }}\\{{ $FileName }}","FilesAccessed": [{"FileName": "{{ $FileName }}","FilePath": "{{ $FilePath }}\\{{ $FileName }}","Timestamp": 1751371830}],"FilesWritten": [{"FileName": "{{ $FileName }}","FilePath": "{{ $FilePath }}\\{{ $FileName }}","Timestamp": 1751371830}],"GrandParentCommandLine": "C:\\Windows\\{{ $GrandParentCommandLine }}","GrandParentImageFileName": "{{ $GrandParentImageFileName }}","GrandParentImageFilePath": "{{ $GrandParentImageFilePath }}\\{{ $GrandParentImageFileName }}","HostGroups": "{{ $HostGroups }}","Hostname": "{{ $Hostname }}","LocalIP": "{{ $LocalIP }}","LocalIPv6": "{{ $LocalIPv6 }}","LogonDomain": "{{ $LogonDomain }}","MACAddress": "{{ $MACAddress }}","MD5String": "{{ $MD5String }}","Name": "{{ $Name }}","NetworkAccesses": [{"AccessTimestamp": 1751371565,"AccessType": {{ $AccessType }},"ConnectionDirection": {{ $ConnectionDirection }},"IsIPV6": {{ $IsIPV6 }},"LocalAddress": "{{ $LocalAddress }}","LocalPort": {{ $LocalPort }},"Protocol": "{{ $Protocol }}","RemoteAddress": "{{ $RemoteAddress }}","RemotePort": {{ $RemotePort }}}],"Objective": "{{ $Objective }}","ParentCommandLine": "C:\\Windows\\{{ $ParentCommandLine }}\\{{ $ParentImageFileName }}","ParentImageFileName": "{{ $ParentImageFileName }}","ParentImageFilePath": "{{ $ParentImageFilePath }}\\{{ $ParentImageFileName }}","ParentProcessId": {{ $ParentProcessId }},"PatternDispositionDescription": "{{ $PatternDispositionDescription }}","PatternDispositionFlags": {"BlockingUnsupportedOrDisabled": {{ $BlockingUnsupportedOrDisabled }},"BootupSafeguardEnabled": {{ $BootupSafeguardEnabled }},"ContainmentFileSystem": {{ $ContainmentFileSystem }},"CriticalProcessDisabled": {{ $CriticalProcessDisabled }},"Detect": {{ $Detect }},"FsOperationBlocked": {{ $FsOperationBlocked }},"HandleOperationDowngraded": {{ $HandleOperationDowngraded }},"InddetMask": {{ $InddetMask }},"Indicator": {{ $Indicator }},"KillActionFailed": {{ $KillActionFailed }},"KillParent": {{ $KillParent }},"KillProcess": {{ $KillProcess }},"KillSubProcess": {{ $KillSubProcess }},"OperationBlocked": {{ $OperationBlocked }},"PolicyDisabled": {{ $PolicyDisabled }},"ProcessBlocked": {{ $ProcessBlocked }},"QuarantineFile": {{ $QuarantineFile }},"QuarantineMachine": {{ $QuarantineMachine }},"RegistryOperationBlocked": {{ $RegistryOperationBlocked }},"Rooting": {{ $Rooting }},"SensorOnly": {{ $SensorOnly }},"SuspendParent": {{ $SuspendParent }},"SuspendProcess": {{ $SuspendProcess }}},"PatternDispositionValue": {{ $PatternDispositionValue }},"PatternId": {{ $PatternId }},"PlatformId": "{{ $PlatformId }}","PlatformName": "{{ $PlatformName }}","ProcessEndTime": {{ $ProcessEndTime }},"ProcessId": {{ $ProcessId }},"ProcessStartTime": {{ $ProcessStartTime }},"ReferrerUrl": "{{ $ReferrerUrl }}","SHA1String": "{{ $SHA1String }}","SHA256String": "{{ $SHA256String }}","Severity": {{ $Severity }},"SeverityName": "{{ $SeverityName }}","SourceProducts": "{{ $SourceProducts }}","SourceVendors": "{{ $SourceVendors }}","Tactic": "{{ $Tactic }}","Technique": "{{ $Technique }}","Type": "{{ $Type }}","UserName": "{{ $UserName }}"{{- else if eq $metadata_eventType "DetectionSummaryEvent" }}"ProcessStartTime": {{ $ProcessStartTime }},"ProcessEndTime": {{ $ProcessEndTime }},"ProcessId": {{ $ProcessId }},"ParentProcessId": {{ $ParentProcessId }},"ComputerName": "{{ $ComputerName }}","UserName": "{{ $UserName }}","DetectName": "{{ $DetectName }}","DetectDescription": "{{ $DetectDescription }}","Severity": {{ $DetectionSeverity }},"SeverityName": "{{ $SeverityName }}","FileName": "{{ $FileName }}","FilePath": "{{ $FilePath }}\\{{ $FileName }}","CommandLine": "C:\\Windows\\{{ $CommandLine }}","SHA256String": "{{ $SHA256String }}","MD5String": "{{ $MD5String }}","SHA1String": "{{ $SHA1String }}","MachineDomain": "{{ $MachineDomain }}","NetworkAccesses": [{"AccessType": {{ $AccessType }},"AccessTimestamp": 1751371565,"Protocol": "{{ $Protocol }}","LocalAddress": "{{ $LocalAddress }}","LocalPort": {{ $LocalPort }},"RemoteAddress": "{{ $RemoteAddress }}","RemotePort": {{ $RemotePort }},"ConnectionDirection": {{ $ConnectionDirection }},"IsIPV6": {{ $IsIPV6 }}}],"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/{{ $FalconHostLink }}?_cid=xxxxxxx","SensorId": "{{ $SensorId }}","IOCType": "{{ $IOCType }}","IOCValue": "{{ $IOCValue }}","DetectId": "{{ $DetectId }}","LocalIP": "{{ $LocalIP }}","MACAddress": "{{ $MACAddress }}","Tactic": "{{ $Tactic }}","Technique": "{{ $Technique }}","Objective": "{{ $Objective }}","PatternDispositionDescription": "{{ $PatternDispositionDescription }}","PatternDispositionValue": {{ $PatternDispositionValue }},"PatternDispositionFlags": {"Indicator": {{ $Indicator }},"Detect": {{ $Detect }},"InddetMask": {{ $InddetMask }},"SensorOnly": {{ $SensorOnly }},"Rooting": {{ $Rooting }},"KillProcess": {{ $KillProcess }},"KillSubProcess": {{ $KillSubProcess }},"QuarantineMachine": {{ $QuarantineMachine }},"QuarantineFile": {{ $QuarantineFile }},"PolicyDisabled": {{ $PolicyDisabled }},"KillParent": {{ $KillParent }},"OperationBlocked": {{ $OperationBlocked }},"ProcessBlocked": {{ $ProcessBlocked }},"RegistryOperationBlocked": {{ $RegistryOperationBlocked }},"CriticalProcessDisabled": {{ $CriticalProcessDisabled }},"BootupSafeguardEnabled": {{ $BootupSafeguardEnabled }},"FsOperationBlocked": {{ $FsOperationBlocked }},"HandleOperationDowngraded": {{ $HandleOperationDowngraded }},"KillActionFailed": {{ $KillActionFailed }},"BlockingUnsupportedOrDisabled": {{ $BlockingUnsupportedOrDisabled }},"SuspendProcess": {{ $SuspendProcess }},"SuspendParent": {{ $SuspendParent }}},"ParentImageFileName": "{{ $ParentImageFileName }}","ParentCommandLine": "{{ $ParentCommandLine }}","GrandparentImageFileName": "{{ $GrandparentImageFileName }}","GrandparentCommandLine": "{{ $GrandparentCommandLine }}","HostGroups": "{{ $HostGroups }}","AssociatedFile": "{{ $AssociatedFile }}","PatternId": {{ $PatternId }}{{- else if eq $metadata_eventType "FirewallMatchEvent" }}"DeviceId": "{{ $DeviceId }}","CustomerId": "{{ $CustomerId }}","Ipv": "{{ $Ipv }}","CommandLine": "{{ $CommandLine }}","ConnectionDirection": "{{ $ConnectionDirection }}","EventType": "{{ $EventType }}","Flags": {"Audit": {{ $Audit }},"Log": {{ $Log }},"Monitor": {{ $Monitor }}},"HostName": "{{ $HostName }}","ICMPCode": "{{ $ICMPCode }}","ICMPType": "{{ $ICMPType }}","ImageFileName": "{{ $ImageFileName }}","LocalAddress": "{{ $LocalAddress }}","LocalPort": "{{ $LocalPort }}","MatchCount": {{ $MatchCount }},"MatchCountSinceLastReport": {{ $MatchCountSinceLastReport }},"NetworkProfile": "{{ $NetworkProfile }}","PID": "{{ $PID }}","PolicyName": "{{ $PolicyName }}","PolicyID": "{{ $PolicyID }}","Protocol": "{{ $Protocol }}","RemoteAddress": "{{ $RemoteAddress }}","RemotePort": "{{ $RemotePort }}","RuleAction": "{{ $RuleAction }}","RuleDescription": "{{ $RuleDescription }}","RuleFamilyID": "{{ $RuleFamilyID }}","RuleGroupName": "{{ $RuleGroupName }}","RuleName": "{{ $RuleName }}","RuleId": "{{ $RuleId }}","Status": "{{ $Status }}","Timestamp": 1751371830,"TreeID": "{{ $TreeID }}"{{- else if eq $metadata_eventType "IdpDetectionSummaryEvent" }}"ContextTimeStamp": 133984620360000000,"CompositeId": "{{ $CompositeId }}","DetectId": "{{ $DetectId }}","DetectName": "{{ $DetectName }}","DetectDescription": "{{ $DetectDescription }}","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/{{ $FalconHostLink }}?_cid=xxxxxxx","StartTime": 133984620360000000,"EndTime": 133984620360000000,"Severity": {{ $Severity }},"SeverityName": "{{ $SeverityName }}","Tactic": "{{ $Tactic }}","Technique": "{{ $Technique }}","Objective": "{{ $Objective }}","SourceAccountDomain": "{{ $SourceAccountDomain }}","SourceAccountName": "{{ $SourceAccountName }}","SourceAccountObjectSid": "{{ $SourceAccountObjectSid }}","SourceEndpointAccountObjectGuid": "{{ $SourceEndpointAccountObjectGuid }}","SourceEndpointAccountObjectSid": "{{ $SourceEndpointAccountObjectSid }}","SourceEndpointHostName": "{{ $SourceEndpointHostName }}","SourceEndpointIpAddress": "{{ $SourceEndpointIpAddress }}","SourceEndpointSensorId": "{{ $SourceEndpointSensorId }}","PrecedingActivityTimeStamp": 133984620360000000,"MostRecentActivityTimeStamp": 133984620360000000,"ActivityId": "{{ $ActivityId }}","PatternId": {{ $PatternId }}{{- else if eq $metadata_eventType "IdentityProtectionEvent" }}"IncidentType": "{{ $IdpIncidentType }}","IncidentDescription": "{{ $IncidentDescription }}","Severity": {{ $Severity }},"SeverityName": "{{ $SeverityName }}","StartTime": 1686891836383,"EndTime": 1686891836383,"IdentityProtectionIncidentId": "{{ $IdentityProtectionIncidentId }}","UserName": "{{ $UserName }}","EndpointName": "{{ $EndpointName }}","EndpointIp": "{{ $EndpointIp }}","Category": "{{ $Category }}","NumbersOfAlerts": {{ $NumbersOfAlerts }},"NumberOfCompromisedEntities": {{ $NumberOfCompromisedEntities }},"State": "{{ $State }}","FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/{{ $FalconHostLink }}?_cid=xxxxxxx"{{- else if eq $metadata_eventType "AuthActivityAuditEvent" }}"UserId": "{{ $UserId }}","UserIp": "{{ $UserIp }}","OperationName": "{{ $OperationName }}","ServiceName": "{{ $ServiceName }}","Success": {{ $Success }},"UTCTimestamp": 1686849556,"AuditKeyValues": [{"Key": "{{ $Key }}","ValueString": "{{ $ValueString }}"}],"Attributes": {"actor_cid": "{{ $actor_cid }}","actor_user": "{{ $actor_user }}","actor_user_uuid": "{{ $actor_user_uuid }}","app_id": "{{ $app_id }}","saml_assertion": "{{ $saml_assertion }}","target_user": "{{ $target_user }}","trace_id": "{{ $trace_id }}"}{{- else if eq $metadata_eventType "UserActivityAuditEvent" }}"UserId": "{{ $UserId }}","UserIp": "{{ $UserIp }}","OperationName": "{{ $OperationName }}","ServiceName": "{{ $ServiceName }}","AuditKeyValues": [{"Key": "{{ $Key }}","ValueString": "{{ $ValueString }}"}],"UTCTimestamp": 1686849556,"Attributes": {"detection_id": "{{ $detection_id }}"}{{- else if eq $metadata_eventType "ScheduledReportNotificationEvent" }}"UserUUID": "{{ $UserUUID }}","UserID": "{{ $UserID }}","ExecutionID": "{{ $ExecutionID }}","ReportID": "{{ $ReportID }}","ReportName": "{{ $ReportName }}","ReportType": "{{ $ReportType }}","ReportFileReference": "{{ $ReportFileReference }}","Status": "{{ $Status }}","StatusMessage": "{{ $StatusMessage }}","ExecutionMetadata": {"ExecutionStart": {{ $ExecutionStart }},"ExecutionDuration": {{ $ExecutionDuration }},"ReportFileName": "{{ $ReportFileName }}","ResultCount": {{ $ResultCount }},"ResultID": "{{ $ResultID }}","SearchWindowStart": {{ $SearchWindowStart }},"SearchWindowEnd": {{ $SearchWindowEnd }}}{{- else if eq $metadata_eventType "RemoteResponseSessionStartEvent" }}"SessionId": "{{ $SessionId }}","HostnameField": "{{ $HostnameField }}","UserName": "{{ $UserName }}","StartTimestamp": 1582830734,"AgentIdString": "{{ $AgentIdString }}"{{- else if eq $metadata_eventType "IncidentSummaryEvent" }}"IncidentStartTime": 1685844891,"IncidentEndTime": 1685844891,"FalconHostLink": "{{ $FalconHostLink }}","State": "{{ $IncidentState }}","FineScore": {{ $FineScore }},"LateralMovement": {{ $LateralMovement }},"IncidentType": {{ $IncidentType }},"IncidentID": "{{ $IncidentID }}","HostID": "{{ $HostID }}","LMHostIDs": ["{{ $LMHostIDs }}"],"UserId": "{{ $UserId }}"{{- else if eq $metadata_eventType "CSPMIOAStreamingEvent" }}"AccountId": "{{ $AccountId }}","PolicyId": {{ $PolicyId }},"PolicyStatement": "{{ $PolicyStatement }}","CloudProvider": "{{ $CloudProvider }}","CloudService": "{{ $CloudService }}","Severity": {{ $Severity }},"SeverityName": "{{ $SeverityName }}","EventAction": "{{ $EventAction }}","EventSource": "{{ $EventSource }}","EventCreatedTimestamp": 1663011160,"UserId": "{{ $UserId }}","UserName": "{{ $UserName }}","UserSourceIp": "{{ $UserSourceIp }}","Tactic": "{{ $Tactic }}","Technique": "{{ $Technique }}"{{- else if eq $metadata_eventType "CSPMSearchStreamingEvent" }}"AccountId": "{{ $AccountId }}","Region": "{{ $Region }}","ResourceId": "{{ $ResourceId }}","ResourceIdType": "{{ $ResourceIdType }}","ResourceName": "{{ $ResourceName }}","ResourceCreateTime": 0,"PolicyStatement": "{{ $PolicyStatement }}","PolicyId": {{ $PolicyId }},"Severity": {{ $Severity }},"SeverityName": "{{ $SeverityName }}","CloudPlatform": "{{ $CloudPlatform }}","CloudService": "{{ $CloudService }}","Disposition": "{{ $Disposition }}","ResourceUrl": "{{ $ResourceUrl }}","Finding": "{{ $Finding }}","Tags": [{"Key": "{{ $Key }}","ValueString": "{{ $ValueString }}"}],"ReportUrl": "{{ $ReportUrl }}","Timestamp": 1751371830{{- else if eq $metadata_eventType "MobileDetectionSummaryEvent" }}"SensorId": "{{ $SensorId }}","MobileDetectionId": {{ $MobileDetectionId }},"ComputerName": "{{ $ComputerName }}","UserName": "{{ $UserName }}","ContextTimeStamp": 1649061056,"DetectId": "{{ $DetectId }}","DetectName": "{{ $DetectName }}","DetectDescription": "{{ $DetectDescription }}","Tactic": "{{ $Tactic }}","TacticId": "{{ $TacticId }}","Technique": "{{ $Technique }}","TechniqueId": "{{ $TechniqueId }}","Objective": "{{ $Objective }}","Severity": {{ $Severity }},"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/{{ $FalconHostLink }}?_cid=xxxxxxx","MobileAppsDetails": [{"AppIdentifier": "{{ $AppIdentifier }}","AndroidAppLabel": "{{ $AndroidAppLabel }}","DexFileHashes": "{{ $DexFileHashes }}","ImageFileName": "{{ $ImageFileName }}","AppInstallerInformation": "{{ $AppInstallerInformation }}","IsBeingDebugged": {{ $IsBeingDebugged }},"AndroidAppVersionName": "{{ $AndroidAppVersionName }}","IsContainerized": {{ $IsContainerized }}}]{{- else if eq $metadata_eventType "ReconNotificationSummaryEvent" }}"NotificationId": "{{ $NotificationId }}","Highlights": ["{{ $Highlights }}"],"MatchedTimestamp": 1686889114000,"RuleId": "{{ $RuleId }}","RuleName": "{{ $RuleName }}","RuleTopic": "{{ $RuleTopic }}","RulePriority": "{{ $RulePriority }}","ItemId": "{{ $ItemId }}","ItemType": "{{ $ItemType }}","ItemPostedTimestamp": 1686889114000{{- else if eq $metadata_eventType "XdrDetectionSummaryEvent" }}"Author": "{{ $Author }}","DataDomains": "{{ $DataDomains }}","Description": "{{ $Description }}","DetectId": "{{ $DetectId }}","EndTimeEpoch": 1643317697728000000,"IPv4Addresses": "{{ $IPv4Addresses }}","HostNames": "{{ $HostNames }}","Name": "{{ $Name }}","PatternId": {{ $PatternId }},"Severity": {{ $Severity }},"SourceProducts": "{{ $SourceProducts }}","SourceVendors": "{{ $SourceVendors }}","StartTimeEpoch": 1643317697728000000,"TacticIds": "{{ $TacticIds }}","Tactics": "{{ $Tactics }}","TechniqueIds": "{{ $TechniqueIds }}","Techniques": "{{ $Techniques }}","XdrType": "{{ $XdrType }}" } {{end}}}} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/build/build.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/build/build.yml new file mode 100644 index 0000000000..d8553567e9 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.17.0" diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/build/docs/README.md b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/build/docs/README.md new file mode 100644 index 0000000000..aef2c75e12 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/_dev/build/docs/README.md @@ -0,0 +1,315 @@ +# CrowdStrike Integration + +## Overview + +The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to efficiently connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization, and incident response. + +For a demo, refer to the following video (click to view). + +[![CrowdStrike integration video](https://play.vidyard.com/VKKWSpg4sDEk1DBXATkyEP.jpg)](https://videos.elastic.co/watch/VKKWSpg4sDEk1DBXATkyEP) + +### Compatibility + +This integration is compatible with CrowdStrike Falcon SIEM Connector v2.0, REST API, and CrowdStrike Event Streams API. + +### How it works + +The integration collects data from multiple sources within CrowdStrike Falcon and ingests it into Elasticsearch for security analysis and visualization: + +![CrowdStrike Integration Flowchart](../img/crowdstrike-elastic-data-flow.drawio.svg) + +1. **CrowdStrike Event Streams** — Real-time security events (auth, CSPM, firewall, user activity, XDR, detections). You can collect this data in two ways: + - **Falcon SIEM Connector** — A pre-built integration that connects CrowdStrike Falcon with your SIEM. The connector collects event stream data and writes it to files; this integration reads from the connector's output path (the `output_path` in `cs.falconhoseclient.cfg`). + - **Event Streams API** — Continuously streams security logs from CrowdStrike Falcon for proactive monitoring and threat detection. + + Data from either method is indexed into the `falcon` dataset in Elasticsearch. + +2. **CrowdStrike REST API** — The integration uses the REST API to pull alerts, host inventory, and vulnerability data (indexed into the `alert`, `host`, and `vulnerability` datasets). + + :::{note} + GovCloud CID users must enable the GovCloud option in the integration configuration to query the `/devices/queries/devices/v1` endpoint instead of the unsupported `/devices/combined/devices/v1` endpoint. + ::: + +3. **Falcon Data Replicator (FDR)** — Batch data from your endpoints, cloud workloads, and identities using the Falcon platform's lightweight agent. Data is written to CrowdStrike-managed S3; this integration consumes it using SQS notifications (or from your own S3 bucket if you use the FDR tool to replicate). Logs are indexed into the `fdr` dataset in Elasticsearch. + +## What data does this integration collect? + +- **Event Streams** (falcon dataset) +- **FDR** (fdr dataset) +- **Alerts** (alert dataset) +- **Hosts** (host dataset) +- **Vulnerability** (vulnerability dataset) + +## What do I need to use this integration? + +This section describes the requirements and configuration details for each supported data source. + +### Collect data using CrowdStrike Falcon SIEM Connector + +To collect data using the Falcon SIEM Connector, you need the file path where the connector stores event data received from the Event Streams. +This is the same as the `output_path` setting in the `cs.falconhoseclient.cfg` configuration file. + +The integration supports only JSON output format from the Falcon SIEM Connector. Other formats such as Syslog and CEF are not supported. + +Additionally, this integration collects logs only through the file system. Ingestion using a Syslog server is not supported. + +:::{note} +The log files are written to multiple rotated output files based on the `output_path` setting in the `cs.falconhoseclient.cfg` file. The default output location for the Falcon SIEM Connector is `/var/log/crowdstrike/falconhoseclient/output`. +By default, files named `output*` in `/var/log/crowdstrike/falconhoseclient` directory contain valid JSON event data and should be used as the source for ingestion. + +Files with names like `cs.falconhoseclient-*.log` in the same directory are primarily used for logging internal operations of the Falcon SIEM Connector and are not intended to be consumed by this integration. +::: + +By default, the configuration file for the Falcon SIEM Connector is located at `/opt/crowdstrike/etc/cs.falconhoseclient.cfg`, which provides configuration options related to the events collected. The `EventTypeCollection` and `EventSubTypeCollection` sections list which event types the connector collects. + +### Collect data using CrowdStrike Event Streams + +The following parameters from your CrowdStrike instance are required: + +1. Client ID +2. Client Secret +3. Token URL +4. API Endpoint URL +5. CrowdStrike App ID +6. Required scopes for event streams: + + | Data Stream | Scope | + | ------------- | ------------------- | + | Event Stream | read: Event streams | + +:::{note} +You can use the Falcon SIEM Connector as an alternative to the Event Streams API. +::: + +#### Supported Event Streams event types + +The following event types are supported for CrowdStrike Event Streams (whether you use the Falcon SIEM Connector or the Event Streams API): + +- CustomerIOCEvent +- DataProtectionDetectionSummaryEvent +- DetectionSummaryEvent +- EppDetectionSummaryEvent +- IncidentSummaryEvent +- UserActivityAuditEvent +- AuthActivityAuditEvent +- FirewallMatchEvent +- RemoteResponseSessionStartEvent +- RemoteResponseSessionEndEvent +- CSPM Streaming events +- CSPM Search events +- IDP Incidents +- IDP Summary events +- Mobile Detection events +- Recon Notification events +- XDR Detection events +- Scheduled Report Notification events + +### Collect data using CrowdStrike REST API + +The following parameters from your CrowdStrike instance are required: + +1. Client ID +2. Client Secret +3. Token URL +4. API Endpoint URL +5. Required scopes for each data stream: + + | Data Stream | Scope | + | ------------- | ------------- | + | Alert | read:alert | + | Host | read:host | + | Vulnerability | read:vulnerability | + +### Collect data using CrowdStrike Falcon Data Replicator (FDR) + +The CrowdStrike Falcon Data Replicator allows CrowdStrike users to replicate data from CrowdStrike +managed S3 buckets. When new data is written to S3, notifications are sent to a CrowdStrike-managed SQS queue (using S3 event notifications configured in AWS), so this integration can consume them. + +This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed +SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket +and the integration can read from there. + +In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic +Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. + +#### Use with CrowdStrike managed S3/SQS + +This is the simplest way to setup the integration, and also the default. + +You need to set the integration up with the SQS queue URL provided by CrowdStrike FDR. + +#### Use with FDR tool and data replicated to a self-managed S3 bucket + +This option can be used if you want to archive the raw CrowdStrike data. + +You need to follow the steps below: + +- Create an S3 bucket to receive the logs. +- Create an SQS queue. +- Configure your S3 bucket to send object created notifications to your SQS queue. +- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. +- Configure the integration to read from your self-managed SQS topic. + +:::{note} +While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files. +::: + +#### Configuration for the S3 input + +AWS credentials are required for running this integration if you want to use the S3 input. + +##### Configuration parameters +* `access_key_id`: first part of access key. +* `secret_access_key`: second part of access key. +* `session_token`: required when using temporary security credentials. +* `credential_profile_name`: profile name in shared credentials file. +* `shared_credential_file`: directory of the shared credentials file. +* `endpoint`: URL of the entry point for an AWS web service. +* `role_arn`: AWS IAM Role to assume. + +##### Credential Types +There are three types of AWS credentials that can be used: + +- access keys, +- temporary security credentials, and +- IAM role ARN. + +##### Access keys + +`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. +They are long-term credentials for an IAM user, or the AWS account root user. +See [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) +for more details. + +##### Temporary security credentials + +Temporary security credentials have a limited lifetime and consist of an +access key ID, a secret access key, and a security token which are typically returned +from `GetSessionToken`. + +MFA-enabled IAM users would need to submit an MFA code +while calling `GetSessionToken`. `default_region` identifies the AWS Region +whose servers you want to send your first API request to by default. + +This is typically the Region closest to you, but it can be any Region. See +[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +for more details. + +`sts get-session-token` AWS CLI can be used to generate temporary credentials. +For example, with MFA-enabled: +```bash +aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 +``` + +Because temporary security credentials are short term, after they expire, the +user needs to generate new ones and manually update the package configuration in +order to continue collecting `aws` metrics. + +This will cause data loss if the configuration is not updated with new credentials before the old ones expire. + +##### IAM role ARN + +An IAM role is an IAM identity that you can create in your account that has +specific permissions that determine what the identity can and cannot do in AWS. + +A role does not have standard long-term credentials such as a password or access +keys associated with it. Instead, when you assume a role, it provides you with +temporary security credentials for your role session. +IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate +temporary credentials. + +See [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details. + +##### Supported Formats +1. Use access keys: Access keys include `access_key_id`, `secret_access_key` +and/or `session_token`. +2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume + for generating temporary credentials. + If `role_arn` is given, the package will check if access keys are given. + If not, the package will check for credential profile name. + If neither is given, default credential profile will be used. + + Ensure credentials are given under either a credential profile or + access keys. +3. Use `credential_profile_name` and/or `shared_credential_file`: + If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then + the package will check for `credential_profile_name`. + If you use different credentials for different tools or applications, you can use profiles to + configure multiple access keys in the same configuration file. + If there is no `credential_profile_name` given, the default profile will be used. + `shared_credential_file` is optional to specify the directory of your shared + credentials file. + If it's empty, the default directory will be used. + In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. + For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. + See [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) + for more details. + +#### Supported FDR data + +The FDR dataset includes: + +- Events generated by the Falcon sensor on your hosts +- DataProtectionDetectionSummaryEvent (Data Protection detection summary) +- File Integrity Monitor: FileIntegrityMonitorRuleMatched and FileIntegrityMonitorRuleMatchedEnriched events +- EppDetectionSummaryEvent (EPP detection summary) +- CSPM: Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events + +## How do I deploy this integration? + +1. In Kibana, go to **Management > Integrations**. +2. In the "Search for integrations" search bar, type **CrowdStrike**. +3. Click the **CrowdStrike** integration from the search results. +4. Click the **Add CrowdStrike** button to add the integration. +5. Configure the integration. +6. Click **Save and Continue** to save the integration. + +### Agentless enabled integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +### Agent based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). +You can install only one Elastic Agent per host. +Elastic Agent is required to stream data from the AWS SQS, Event Streams API, REST API, or SIEM Connector and ship the data to Elastic, where the events will then be processed using the integration's ingest pipelines. + +## Troubleshooting + +### Vulnerability API returns 404 Not found + +This error can occur for the following reasons: +1. Too many records in the response. +2. The pagination token has expired. Tokens expire 120 seconds after a call is made. + +To resolve this, adjust the `Batch Size` setting in the integration to reduce the number of records returned per pagination call. + +### Duplicate Events + +The option `Enable Data Deduplication` allows you to avoid consuming duplicate events. By default, this option is set to `false`, and so duplicate events can be ingested. When this option is enabled, a [fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) is used to calculate a hash from a set of CrowdStrike fields that uniquely identify the event. The hash is assigned to the Elasticsearch [`_id`](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-id-field.html) field that makes the document unique and prevent duplicates. + +If duplicate events are ingested, to help find them, the integration's `event.id` field is populated by concatenating a few CrowdStrike fields that uniquely identify the event. These fields are `id`, `aid`, and `cid` from the CrowdStrike event. The fields are separated with pipe `|`. +For example, if your CrowdStrike event contains `id: 123`, `aid: 456`, and `cid: 789` then the `event.id` would be `123|456|789`. + +### Alert severity mapping + +The values used in `event.severity` are consistent with Elastic Detection Rules. + +| Severity Name | `event.severity` | +|----------------------------|:----------------:| +| Low, Info or Informational | 21 | +| Medium | 47 | +| High | 73 | +| Critical | 99 | + +The integration sets `event.severity` according to the mapping in the table above. If the severity name is not available from the original document, it is determined from the numeric severity value according to the following table. + +| CrowdStrike Severity | Severity Name | +|------------------------|:-------------:| +| 0 - 19 | info | +| 20 - 39 | low | +| 40 - 59 | medium | +| 60 - 79 | high | +| 80 - 100 | critical | diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/changelog.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/changelog.yml new file mode 100644 index 0000000000..5bdf3afc18 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/changelog.yml @@ -0,0 +1,1051 @@ +# newer versions go on top +- version: "3.12.0" + changes: + - description: Add demo video link to integration documentation. + type: enhancement + link: https://github.com/elastic/integrations/pull/17889 +- version: "3.11.0" + changes: + - description: Append preserve_original_event in pipeline on_failure handlers to support error correction and debugging. + type: enhancement + link: https://github.com/elastic/integrations/pull/17780 + - description: Fix FDR fim_rule_matched pipeline to append preserve_original_event to tags instead of event.kind in on_failure. + type: bugfix + link: https://github.com/elastic/integrations/pull/17780 +- version: "3.10.0" + changes: + - description: Remove deprecated threat field mappings and map fields under `mitre_attack` to standard ECS threat fields in alert data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/17327 +- version: "3.9.1" + changes: + - description: Fix the falcon data stream ingest pipeline to handle non-object documents. + type: bugfix + link: https://github.com/elastic/integrations/pull/17616 +- version: "3.9.0" + changes: + - description: Remove deprecated threat field mappings and map fields under `MitreAttack` to standard ECS threat fields in falcon data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/17322 +- version: "3.8.0" + changes: + - description: Update the CrowdStrike integration README and layout. + type: enhancement + link: https://github.com/elastic/integrations/pull/15927 + - description: Update policy template titles and descriptions. + type: enhancement + link: https://github.com/elastic/integrations/pull/15927 +- version: "3.7.0" + changes: + - description: Add tags to ingest pipelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/17437 + - description: Update error message format in ingest pipelines. + type: enhancement + link: https://github.com/elastic/integrations/pull/17437 +- version: "3.6.0" + changes: + - description: Add if conditions to geoip processors in the FDR data stream to improve performance. + type: enhancement + link: https://github.com/elastic/integrations/pull/17584 + - description: Added new configuration options to the FDR data stream to enable or disable GeoIP enrichment for `observer.ip`, `source.ip`, and `destination.ip` fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/17584 +- version: "3.5.0" + changes: + - description: Add support for CustomerIOCEvent events in falcon data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/17339 +- version: "3.4.0" + changes: + - description: Add support for FileIntegrityMonitorRuleMatched and FileIntegrityMonitorRuleMatchedEnriched events in the FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/16990 + - description: Change `crowdstrike.Nonce` field type from integer to unsigned_long in the FDR data stream to support unsigned 64-bit values out of long range. + type: enhancement + link: https://github.com/elastic/integrations/pull/16990 +- version: "3.3.1" + changes: + - description: Remove references to FDR queue setting. + type: bugfix + link: https://github.com/elastic/integrations/pull/17387 + - description: Remove duplicate security-solution-default tag references + type: bugfix + link: https://github.com/elastic/integrations/pull/17020 +- version: "3.3.0" + changes: + - description: Parse EppDetectionSummaryEvent events in FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/17034 +- version: "3.2.1" + changes: + - description: Fix processing of `crowdstrike.User.ID` field. + type: bugfix + link: https://github.com/elastic/integrations/pull/16989 +- version: "3.2.0" + changes: + - description: Improvements and fixes to ingest pipelines for all data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/16730 +- version: "3.1.0" + changes: + - description: Improve ingest pipeline maintainability. + type: enhancement + link: https://github.com/elastic/integrations/pull/16213 +- version: "3.0.0" + changes: + - description: >- + Add parsing for CSPM IOA and IOM events in the FDR data stream. No configuration changes are required on user side to enable parsing. Some field data types have changed, which can break existing Kibana dashboards or queries. + type: breaking-change + link: https://github.com/elastic/integrations/pull/15783 +- version: "2.11.0" + changes: + - description: >- + Add support for following additional event types in the FDR data stream: MountedVolume, FalconProcessHandleOpDetectInfo, ServiceStopped, KernelServiceStarted, InstalledBrowserExtension, SensorAntiTamperState, SensorSettingsUpdate, ServicesStatusInfo, FileWrittenWithEntropyHigh, ReflectiveDotnetModuleLoad, SuspiciousPrivilegedProcessHandle. These new event types provide deeper visibility into system activity and security posture. + type: enhancement + link: https://github.com/elastic/integrations/pull/15846 +- version: "2.10.1" + changes: + - description: Remove all constant keyword fields that have statically defined values. + type: bugfix + link: https://github.com/elastic/integrations/pull/16240 + - description: Fix handling of string CrowdStrike `User` fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/16240 +- version: "2.10.0" + changes: + - description: >- + Provide an alternate endpoint to query host data for GovCloud CIDs. The GovCloud CIDs must enable the `GovCloud` flag in the integration configuration to ensure the correct endpoint is used. + type: enhancement + link: https://github.com/elastic/integrations/pull/16007 +- version: "2.9.0" + changes: + - description: Support handling FDR documents that encode numbers as strings. + type: enhancement + link: https://github.com/elastic/integrations/pull/16087 +- version: "2.8.0" + changes: + - description: Add support for HTTP proxy configuration for Event Streams. Add support for proxy header configuration for CrowdStrike APIs. + type: enhancement + link: https://github.com/elastic/integrations/pull/15880 +- version: "2.7.0" + changes: + - description: Add support for DataProtectionDetectionSummaryEvent events in FDR and Falcon datasets. + type: enhancement + link: https://github.com/elastic/integrations/pull/15859 +- version: "2.6.0" + changes: + - description: Add a fallback parsing command_line to populate the process name in the FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/15646 +- version: "2.5.2" + changes: + - description: Add `event.category` and `event.type` fields to process data in alerts. + type: bugfix + link: https://github.com/elastic/integrations/pull/15616 +- version: "2.5.1" + changes: + - description: Add conditionals to rename processors in the fdr ingest pipeline to pass the rally benchmark. + type: bugfix + link: https://github.com/elastic/integrations/pull/15497 + - description: Fix the alert ingest pipeline to append device tags correctly. + type: bugfix + link: https://github.com/elastic/integrations/pull/15497 +- version: "2.5.0" + changes: + - description: Migrate to /devices/combined/devices/v1 endpoint to pull host data. + type: enhancement + link: https://github.com/elastic/integrations/pull/15419 +- version: "2.4.0" + changes: + - description: Enhance the field mappings for Windows events in the FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/15342 +- version: "2.3.0" + changes: + - description: Migrate to /alerts/combined/alerts/v1 endpoint to pull alert data. + type: enhancement + link: https://github.com/elastic/integrations/pull/15291 +- version: "2.2.1" + changes: + - description: Fix processing of `crowdstrike.User.Name` field. + type: bugfix + link: https://github.com/elastic/integrations/pull/15272 +- version: "2.2.0" + changes: + - description: >- + Migrate to the "/spotlight/combined/vulnerabilities/v1" endpoint for vulnerability data. Add support for the `facet` query parameter to control what data is returned in the API response. + type: enhancement + link: https://github.com/elastic/integrations/pull/15049 +- version: "2.1.0" + changes: + - description: Populate `message` ECS field from `crowdstrike.event_simpleName` field for FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14916 +- version: "2.0.1" + changes: + - description: Added a conditional JSON parsing workaround for `ResourceAttributes` to handle cases where it is rendered as a JSON string. + type: bugfix + link: https://github.com/elastic/integrations/pull/15019 +- version: "2.0.0" + changes: + - description: "Data deduplication is now disabled by default for the FDR data stream when configured with the aws-s3 input. \nPreviously, the FDR data stream automatically handled deduplication by computing an Elasticsearch document _id \nusing the aws-s3 input. To prevent duplicate documents, you must now explicitly enable the Data Deduplication setting. \nWhile enabling this setting prevents duplicates, it can result in a lower indexing rate because Elasticsearch \nmust check for existing documents before indexing.\n" + type: breaking-change + link: https://github.com/elastic/integrations/pull/14762 +- version: "1.80.0" + changes: + - description: Update README to clarify the log file format and location for the Falcon SIEM Connector. + type: enhancement + link: https://github.com/elastic/integrations/pull/14789 +- version: "1.79.0" + changes: + - description: Parse `ou` field for host data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14773 +- version: "1.78.0" + changes: + - description: Add `FilesAccessed` timestamp checking to falcon and fdr data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/14723 +- version: "1.77.1" + changes: + - description: Support various Tags formats in FDR data. + type: bugfix + link: https://github.com/elastic/integrations/pull/14679 +- version: "1.77.0" + changes: + - description: Use `terminate` processor instead of `fail` processor to handle agent errors. + type: enhancement + link: https://github.com/elastic/integrations/pull/14393 +- version: "1.76.0" + changes: + - description: Extend info-level severity names to include "Informational". + type: enhancement + link: https://github.com/elastic/integrations/pull/14275 +- version: "1.75.2" + changes: + - description: Add temporary processor to remove the fields added by the Agentless policy. + type: bugfix + link: https://github.com/elastic/integrations/pull/14172 +- version: "1.75.1" + changes: + - description: Add support for multi-resource falcon hose streams. + type: bugfix + link: https://github.com/elastic/integrations/pull/14212 +- version: "1.75.0" + changes: + - description: Add additional parsed fields in alert datastream. + type: enhancement + link: https://github.com/elastic/integrations/pull/14143 +- version: "1.74.0" + changes: + - description: Standardize user fields processing across integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/14066 +- version: "1.73.1" + changes: + - description: Fix EppDetectionSummaryEvent recognition logic in falcon data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/14110 +- version: "1.73.0" + changes: + - description: Parse `prevented` and `worker_node_name` field for alert data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/14026 +- version: "1.72.0" + changes: + - description: Update SQS parsing script to parse all notification payloads. + type: enhancement + link: https://github.com/elastic/integrations/pull/13875 +- version: "1.71.0" + changes: + - description: Add `process.entity_id` and `process.parent.entity_id` ECS mappings in alert and falcon data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/13984 +- version: "1.70.0" + changes: + - description: Normalize `event.severity` values across EDR integrations. + type: enhancement + link: https://github.com/elastic/integrations/pull/13955 +- version: "1.69.1" + changes: + - description: Correct network.direction mapping. + type: bugfix + link: https://github.com/elastic/integrations/pull/13961 +- version: "1.69.0" + changes: + - description: Improve user ECS field mappings for FDR. + type: enhancement + link: https://github.com/elastic/integrations/pull/13906 +- version: "1.68.0" + changes: + - description: Improve handling of document collision. + type: enhancement + link: https://github.com/elastic/integrations/pull/13779 +- version: "1.67.0" + changes: + - description: Improve FDR field handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/12913 +- version: "1.66.0" + changes: + - description: Handle `UTCTimestamp` values expressed in Unix seconds. + type: enhancement + link: https://github.com/elastic/integrations/pull/13833 +- version: "1.65.1" + changes: + - description: Adjust alert batch size to 1000 to match the API limit. + type: bugfix + link: https://github.com/elastic/integrations/pull/13862 +- version: "1.65.0" + changes: + - description: Remove redundant installation instructions. + type: enhancement + link: https://github.com/elastic/integrations/pull/13573 +- version: "1.64.1" + changes: + - description: Reset state values when an error occurs during vulnerability data collection. + type: bugfix + link: https://github.com/elastic/integrations/pull/13740 +- version: "1.64.0" + changes: + - description: Enhance `device.id` ECS mappings for FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/13762 +- version: "1.63.2" + changes: + - description: Fix the navigation links in `Table of Contents` section. + type: bugfix + link: https://github.com/elastic/integrations/pull/13763 +- version: "1.63.1" + changes: + - description: Fix default request trace enabled behavior. + type: bugfix + link: https://github.com/elastic/integrations/pull/13712 +- version: "1.63.0" + changes: + - description: Update `host.*` ECS mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/13373 +- version: "1.62.0" + changes: + - description: Updated integration logo. + type: enhancement + link: https://github.com/elastic/integrations/pull/12345 +- version: "1.61.1" + changes: + - description: Fix condition in date processors for the FDR data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/13394 +- version: "1.61.0" + changes: + - description: Improve performance of script processors in fdr data stream ingest pipeline. + type: enhancement + link: https://github.com/elastic/integrations/pull/13325 +- version: "1.60.0" + changes: + - description: Add option to delete long fields thus avoiding _ignored fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/13157 +- version: "1.59.0" + changes: + - description: Improve `EppDetectionSummaryEvent` event field mapping for falcon. + type: enhancement + link: https://github.com/elastic/integrations/pull/13334 +- version: "1.58.0" + changes: + - description: Add support for `EppDetectionSummaryEvent` events. + type: enhancement + link: https://github.com/elastic/integrations/pull/12869 +- version: "1.57.0" + changes: + - description: Reduce storage load for less useful or constant fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/13260 +- version: "1.56.1" + changes: + - description: Expose missing "Number of Workers" settings to the user. + type: bugfix + link: https://github.com/elastic/integrations/pull/13196 +- version: "1.56.0" + changes: + - description: Optionally allow data deduplication. + type: enhancement + link: https://github.com/elastic/integrations/pull/13109 + - description: Concatenate fingerprint fields into `event.id` to allow checking for duplicates. + type: enhancement + link: https://github.com/elastic/integrations/pull/13109 +- version: "1.55.0" + changes: + - description: Increase field limits in FDR data-streams to avoid unindexed ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/13056 +- version: "1.54.0" + changes: + - description: Enable request trace log removal. + type: enhancement + link: https://github.com/elastic/integrations/pull/13035 +- version: "1.53.0" + changes: + - description: Add support of vulnerability data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/12973 + - description: Update ecs version to 8.17.0 and add navigation of vulnerability dashboard in existing dashboards. + type: enhancement + link: https://github.com/elastic/integrations/pull/12973 +- version: "1.52.3" + changes: + - description: Fix condition in date processors for the FDR data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/13397 +- version: "1.52.2" + changes: + - description: Expose missing "Number of Workers" settings to the user. + type: bugfix + link: https://github.com/elastic/integrations/pull/13296 +- version: "1.52.1" + changes: + - description: Fixed parsing of RawProcessIDs in edge case scenarios. + type: bugfix + link: http://github.com/elastic/integrations/pull/12860 +- version: "1.52.0" + changes: + - description: Add handling for domain names in SMB events. + type: enhancement + link: https://github.com/elastic/integrations/pull/12712 + - description: Fix issues/gaps in handling of domain names in DNS events. + type: bugfix + link: https://github.com/elastic/integrations/pull/12712 + - description: Fix over setting of `url.scheme`. + type: bugfix + link: https://github.com/elastic/integrations/pull/12712 +- version: "1.51.2" + changes: + - description: Avoid using dynamic template for flattened fields. + type: bugfix + link: http://github.com/elastic/integrations/pull/12624 +- version: "1.51.1" + changes: + - description: Updated SSL description in package manifest.yml to be uniform and to include links to documentation. + type: bugfix + link: https://github.com/elastic/integrations/pull/12781 +- version: "1.51.0" + changes: + - description: Update Kibana constraint to support 9.0.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/12593 +- version: "1.50.0" + changes: + - description: Allow the usage of deprecated log input and support for stack 9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/12503 +- version: "1.49.1" + changes: + - description: Fix network direction handling for FDR data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/12508 + - description: Handle invalid IP addresses robustly. + type: bugfix + link: https://github.com/elastic/integrations/pull/12508 +- version: "1.49.0" + changes: + - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error". + type: enhancement + link: https://github.com/elastic/integrations/pull/12109 +- version: "1.48.0" + changes: + - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error". + type: enhancement + link: https://github.com/elastic/integrations/pull/12046 +- version: "1.47.0" + changes: + - description: Add Support of CrowdStrike Event Stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/11773 +- version: "1.46.0" + changes: + - description: Extract user and host names from the name field. + type: enhancement + link: https://github.com/elastic/integrations/pull/11804 + - description: Correct use of `related.hash` to `related.hosts`. + type: bugfix + link: https://github.com/elastic/integrations/pull/11804 +- version: "1.45.1" + changes: + - description: Use host.name in `Top Related Hosts` visualisation in Falcon Overview dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/11739 + - description: Use host.name field for `Hostname` control in Falcon Overview dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/11739 + - description: Remove unused field control `observer.address` from Falcon Overview dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/11739 + - description: Add `Severity` name to control using `crowdstrike.event.SeverityName` in Falcon Overview dashboard. + type: bugfix + link: https://github.com/elastic/integrations/pull/11739 +- version: "1.45.0" + changes: + - description: Add support for FQL queries in `alert` and `host` data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/11734 +- version: "1.44.0" + changes: + - description: Map additional fields observed in alert data. + type: enhancement + link: https://github.com/elastic/integrations/pull/11724 +- version: "1.43.0" + changes: + - description: Recover Crowdstrike-deprecated field values for `is_synthetic_quarantine_disposition`, `has_script_or_module_ioc` and `ioc_values`. + type: enhancement + link: https://github.com/elastic/integrations/pull/11282 +- version: "1.42.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11314 +- version: "1.42.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 +- version: "1.42.0" + changes: + - description: Add support of IDP and EPP alert fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/11135 +- version: "1.41.1" + changes: + - description: Re-add ECS field definitions to enable fieldless search for kibana versions before v8.14. + type: bugfix + link: https://github.com/elastic/integrations/pull/11147 +- version: "1.41.0" + changes: + - description: Map `crowdstrike.CommandHistory`, `crowdstrike.ParentCommandLine` and `crowdstrike.GrandparentCommandLine` as multi-fields with `match_only_text`. + type: enhancement + link: https://github.com/elastic/integrations/pull/11012 +- version: "1.40.1" + changes: + - description: Fix mapping for assessment events. + type: bugfix + link: https://github.com/elastic/integrations/pull/11023 + - description: Fix handling of cases where AIP is present but empty. + type: bugfix + link: https://github.com/elastic/integrations/pull/11023 +- version: "1.40.0" + changes: + - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." + type: enhancement + link: https://github.com/elastic/integrations/pull/10897 +- version: "1.39.3" + changes: + - description: Fix handling of event.created and timestamp fields for FDR events. + type: bugfix + link: https://github.com/elastic/integrations/pull/10862 +- version: "1.39.2" + changes: + - description: Fix cursor timestamp handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/10694 +- version: "1.39.1" + changes: + - description: Return empty `events` array when no resources in alert, host. + type: bugfix + link: https://github.com/elastic/integrations/pull/10831 +- version: "1.39.0" + changes: + - description: Improve document deduplication behavior. + type: enhancement + link: https://github.com/elastic/integrations/pull/10567 +- version: "1.38.0" + changes: + - description: Improve error reporting for API request failures. + type: enhancement + link: https://github.com/elastic/integrations/pull/10346 +- version: "1.37.1" + changes: + - description: Fix threat.framework when prefix is `CS`. + type: bugfix + link: https://github.com/elastic/integrations/pull/10256 +- version: "1.37.0" + changes: + - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. + type: enhancement + link: https://github.com/elastic/integrations/pull/10135 +- version: "1.36.0" + changes: + - description: Add `device.id` field. + type: enhancement + link: https://github.com/elastic/integrations/pull/10124 +- version: "1.35.0" + changes: + - description: Make `host.ip` field conform to ECS field definition. + type: enhancement + link: https://github.com/elastic/integrations/pull/10120 +- version: "1.34.3" + changes: + - description: Fix handling of empty responses in CEL. + type: bugfix + link: https://github.com/elastic/integrations/pull/9972 +- version: "1.34.2" + changes: + - description: Resolved ignore_malformed issues with fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/9832 +- version: "1.34.1" + changes: + - description: Improve error handling for renaming processors. + type: bugfix + link: https://github.com/elastic/integrations/pull/9816 +- version: "1.34.0" + changes: + - description: Update manifest format version to v3.0.3. + type: enhancement + link: https://github.com/elastic/integrations/pull/9536 +- version: "1.33.0" + changes: + - description: Refactor alert and host collectors and improve error handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/9716 +- version: "1.32.2" + changes: + - description: Fix geoip mapping to destination. + type: bugfix + link: https://github.com/elastic/integrations/pull/9738 +- version: "1.32.1" + changes: + - description: Fix cache option name in FDR data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/9436 +- version: "1.32.0" + changes: + - description: Set sensitive value as secret in cel input. + type: enhancement + link: https://github.com/elastic/integrations/pull/9238 +- version: "1.31.0" + changes: + - description: Add support for Alert and Host API endpoints. + type: enhancement + link: https://github.com/elastic/integrations/pull/8790 +- version: "1.30.0" + changes: + - description: Set sensitive values as secret. + type: enhancement + link: https://github.com/elastic/integrations/pull/8725 +- version: "1.29.0" + changes: + - description: Expose FDR cache options for more flexibility + type: enhancement + link: https://github.com/elastic/integrations/pull/9063 +- version: "1.28.3" + changes: + - description: Fix drive letter parsing. + type: bugfix + link: https://github.com/elastic/integrations/pull/9119 +- version: "1.28.2" + changes: + - description: Add missing type mapping for host fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/9030 +- version: "1.28.1" + changes: + - description: Changed owners + type: enhancement + link: https://github.com/elastic/integrations/pull/8943 +- version: "1.28.0" + changes: + - description: Enrich events with userinfo user details fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/8742 + - description: Map host and user metatdata to ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/8742 +- version: "1.27.0" + changes: + - description: Allow aidmaster metadata to be retained after host enrichment. + type: enhancement + link: https://github.com/elastic/integrations/pull/8715 +- version: "1.26.2" + changes: + - description: Do not populate `related.hosts` with IP values. + type: bugfix + link: https://github.com/elastic/integrations/pull/8684 +- version: "1.26.1" + changes: + - description: Fix exclude_files pattern. + type: bugfix + link: https://github.com/elastic/integrations/pull/8635 +- version: "1.26.0" + changes: + - description: Enrich events with aidmaster host details fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/8474 +- version: 1.25.1 + changes: + - description: Add new events. + type: enhancement + link: https://github.com/elastic/integrations/pull/8498 +- version: 1.25.0 + changes: + - description: Add new dashboards for Crowdstrike and Crowdstrike Falcon + type: enhancement + link: https://github.com/elastic/integrations/pull/8478 +- version: 1.24.0 + changes: + - description: ECS version updated to 8.11.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/8433 +- version: "1.23.1" + changes: + - description: Prefer ImageFileName for the value of process.executable. + type: bugfix + link: https://github.com/elastic/integrations/pull/8322 +- version: "1.23.0" + changes: + - description: Improve 'event.original' check to avoid errors if set. + type: enhancement + link: https://github.com/elastic/integrations/pull/8269 +- version: "1.22.1" + changes: + - description: Fix field mapping for LMHostIDs + type: bugfix + link: https://github.com/elastic/integrations/pull/8115 +- version: 1.22.0 + changes: + - description: Update the package format_version to 3.0.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/8025 +- version: 1.21.0 + changes: + - description: Correct invalid ECS field usages at root-level. + type: bugfix + link: https://github.com/elastic/integrations/pull/7968 +- version: 1.20.0 + changes: + - description: ECS version updated to 8.10.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7905 +- version: "1.19.0" + changes: + - description: Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. + type: enhancement + link: https://github.com/elastic/integrations/pull/7789 +- version: "1.18.3" + changes: + - description: Convert Win32 timestamps to unix millisecond timestamps. + type: bugfix + link: https://github.com/elastic/integrations/pull/7734 +- version: "1.18.2" + changes: + - description: Fixed event tag handling for the falcon data-stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/7625 +- version: "1.18.1" + changes: + - description: Fixed Windows NT timestamp handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/7548 +- version: "1.18.0" + changes: + - description: Update package to ECS 8.9.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/7107 +- version: "1.17.0" + changes: + - description: Document duration units. + type: enhancement + link: https://github.com/elastic/integrations/pull/6992 +- version: "1.16.1" + changes: + - description: Remove confusing error message tag prefix. + type: bugfix + link: https://github.com/elastic/integrations/pull/7105 +- version: "1.16.0" + changes: + - description: Adding new Event types to the Falcon Datastream. + type: enhancement + link: https://github.com/elastic/integrations/pull/6844 +- version: "1.15.0" + changes: + - description: Overhaul of the Falcon Datastream, adding plenty of new fields and ECS mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/6668 +- version: "1.14.0" + changes: + - description: Ensure event.kind is correctly set for pipeline errors. + type: enhancement + link: https://github.com/elastic/integrations/pull/6613 +- version: "1.13.0" + changes: + - description: Update package to ECS 8.8.0 and pkg-spec 2.7.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/6372 +- version: "1.12.1" + changes: + - description: Fix parsing errors of LocalAddressIP4 field and calculation of process.uptime. + type: bugfix + link: https://github.com/elastic/integrations/pull/5957 +- version: "1.12.0" + changes: + - description: Update package to ECS 8.7.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/5765 +- version: "1.11.2" + changes: + - description: Reduce duplicate document ingestion. + type: bugfix + link: https://github.com/elastic/integrations/pull/5669 +- version: "1.11.1" + changes: + - description: Multiple IPs in `aip` field and add new fields + type: bugfix + link: https://github.com/elastic/integrations/pull/5655 +- version: "1.11.0" + changes: + - description: Support `max_number_of_messages` in SQS mode + type: enhancement + link: https://github.com/elastic/integrations/pull/5595 +- version: "1.10.2" + changes: + - description: Remove redundant GeoIP look-ups. + type: bugfix + link: https://github.com/elastic/integrations/pull/5456 +- version: "1.10.1" + changes: + - description: Added categories and/or subcategories. + type: enhancement + link: https://github.com/elastic/integrations/pull/5123 +- version: "1.10.0" + changes: + - description: Support Windows NT timestamps for ContextTimeStamp, StartTime and EndTime FDR fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/5168 +- version: "1.9.0" + changes: + - description: Update package to ECS 8.6.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/4576 +- version: "1.8.2" + changes: + - description: Fix parse of CommandLine in Falcon pipeline + type: bugfix + link: https://github.com/elastic/integrations/pull/4758 +- version: "1.8.1" + changes: + - description: Fix parse of flattened `process` fields in Falcon data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/4709 +- version: "1.8.0" + changes: + - description: Update package to ECS 8.5.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/4285 +- version: "1.7.0" + changes: + - description: Expose Default Region setting to UI + type: enhancement + link: https://github.com/elastic/integrations/pull/4158 +- version: "1.6.1" + changes: + - description: Use ECS geo.location definition. + type: enhancement + link: https://github.com/elastic/integrations/issues/4227 +- version: "1.6.0" + changes: + - description: Parse executable for `process.name` in FDR data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/4133 +- version: "1.5.1" + changes: + - description: Set default endpoint to empty string + type: bugfix + link: https://github.com/elastic/integrations/pull/4103 +- version: "1.5.0" + changes: + - description: Update package to ECS 8.4.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/3843 +- version: "1.4.2" + changes: + - description: Fix proxy URL documentation rendering. + type: bugfix + link: https://github.com/elastic/integrations/pull/3881 +- version: "1.4.1" + changes: + - description: Update package name and description to align with standard wording + type: enhancement + link: https://github.com/elastic/integrations/pull/3478 +- version: "1.4.0" + changes: + - description: Update package to ECS 8.3.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/3353 +- version: "1.3.4" + changes: + - description: Prevent missing `@timestamp` field. + type: bugfix + link: https://github.com/elastic/integrations/pull/3484 +- version: "1.3.3" + changes: + - description: Optimize FDR pipeline script processor. + type: bugfix + link: https://github.com/elastic/integrations/pull/3302 +- version: "1.3.2" + changes: + - description: Format source.mac as per ECS. + type: bugfix + link: https://github.com/elastic/integrations/pull/3302 +- version: "1.3.1" + changes: + - description: Update readme file. Added link to CrowdStrike docs + type: enhancement + link: https://github.com/elastic/integrations/pull/3057 +- version: "1.3.0" + changes: + - description: Update to ECS 8.2 + type: enhancement + link: https://github.com/elastic/integrations/pull/2779 +- version: "1.2.7" + changes: + - description: Move invalid field value + type: enhancement + link: https://github.com/elastic/integrations/pull/3098 +- version: "1.2.6" + changes: + - description: Add documentation for multi-fields + type: enhancement + link: https://github.com/elastic/integrations/pull/2916 +- version: "1.2.5" + changes: + - description: Add date parsing for BiosReleaseDate field. + type: bugfix + link: https://github.com/elastic/integrations/pull/2867 +- version: "1.2.4" + changes: + - description: Add missing field mapping for several event and host fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/2869 +- version: "1.2.3" + changes: + - description: Change type of 'fdr_parsing_script' variable to 'yaml' so that the multi-line string creates a valid YAML config document. + type: bugfix + link: https://github.com/elastic/integrations/pull/2701 +- version: "1.2.2" + changes: + - description: Add Ingest Pipeline script to map IANA Protocol Numbers + type: bugfix + link: https://github.com/elastic/integrations/pull/2470 +- version: "1.2.1" + changes: + - description: Fix issue with "Is FDR Queue" selector having no effect. + type: bugfix + link: https://github.com/elastic/integrations/pull/2653 +- version: "1.2.0" + changes: + - description: Update to ECS 8.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/2398 +- version: "1.1.2" + changes: + - description: Regenerate test files using the new GeoIP database + type: bugfix + link: https://github.com/elastic/integrations/pull/2339 +- version: "1.1.1" + changes: + - description: Change test public IPs to the supported subset + type: bugfix + link: https://github.com/elastic/integrations/pull/2327 +- version: "1.1.0" + changes: + - description: Add 8.0.0 version constraint + type: enhancement + link: https://github.com/elastic/integrations/pull/2229 +- version: "1.0.4" + changes: + - description: Add ability to read from both FDR provided and user owned SQS queues for FDR. + type: bugfix + link: https://github.com/elastic/integrations/pull/2198 + - description: Pipeline fixes for FDR + type: bugfix + link: https://github.com/elastic/integrations/pull/2198 +- version: "1.0.3" + changes: + - description: Uniform with guidelines + type: enhancement + link: https://github.com/elastic/integrations/pull/2022 +- version: "1.0.2" + changes: + - description: Update Title and Description. + type: enhancement + link: https://github.com/elastic/integrations/pull/1961 +- version: "1.0.1" + changes: + - description: Fix logic that checks for the 'forwarded' tag + type: bugfix + link: https://github.com/elastic/integrations/pull/1812 +- version: '1.0.0' + changes: + - description: make GA + type: enhancement + link: https://github.com/elastic/integrations/pull/1630 +- version: "0.9.0" + changes: + - description: Update to ECS 1.12.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1655 +- version: "0.8.1" + changes: + - description: Add proxy config + type: enhancement + link: https://github.com/elastic/integrations/pull/1648 +- version: "0.8.0" + changes: + - description: Add FDR data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/1522 + - description: Change Falcon ECS fields definition to use references + type: enhancement + link: https://github.com/elastic/integrations/pull/1522 + - description: Add cleanup processor to Falcon + type: enhancement + link: https://github.com/elastic/integrations/pull/1522 +- version: '0.7.1' + changes: + - description: update to ECS 1.11.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/1378 +- version: "0.7.0" + changes: + - description: Update integration description + type: enhancement + link: https://github.com/elastic/integrations/pull/1364 +- version: "0.6.0" + changes: + - description: Set "event.module" and "event.dataset" + type: enhancement + link: https://github.com/elastic/integrations/pull/1258 +- version: "0.5.0" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1036 +- version: "0.4.1" + changes: + - description: update to ECS 1.9.0 + type: enhancement + link: https://github.com/elastic/integrations/pull/841 +- version: "0.4.0" + changes: + - description: Moves edge processing to ingest pipeline + type: enhancement + link: https://github.com/elastic/integrations/pull/774 +- version: "0.3.1" + changes: + - description: Change kibana.version constraint to be more conservative. + type: bugfix + link: https://github.com/elastic/integrations/pull/749 +- version: "0.1.0" + changes: + - description: initial release + type: enhancement # can be one of: enhancement, bugfix, breaking-change + link: https://github.com/elastic/integrations/pull/182 diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs new file mode 100644 index 0000000000..b9c4c9c6fd --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs @@ -0,0 +1,130 @@ +config_version: 2 +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if proxy_headers}} +resource.proxy_headers: {{proxy_headers}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} +state: + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} +{{#if query}} + query: {{query}} +{{/if}} +redact: + fields: ~ +program: |- + state.with( + ( + state.?want_more.orValue(false) ? + state.start_time + : + state.?cursor.last_timestamp.orValue( + (now - duration(state.initial_interval)).format(time_layout.RFC3339Nano) + ) + ).as(start_time, + post_request( + state.url.trim_right("/") + "/alerts/combined/alerts/v1?", + "application/json", + { + ?"after": state.?next.page_token, + "limit": int(state.batch_size), + "sort": "updated_timestamp|asc", + "filter": [ + "updated_timestamp:>'" + start_time + "'", + ?state.?query.optMap(q, "(" + q + ")"), + ].join("+"), + }.encode_json() + ).do_request().as(resp, (resp.StatusCode == 200) ? + resp.Body.decode_json().as(body, + (size(body.?errors.orValue([])) > 0) ? + { + "events": body.errors.map(error, + { + "error": { + "code": string(error.code), + "message": string(error.message), + }, + } + ), + "next": {}, + "want_more": false, + } + : + { + "events": has(body.resources) ? + body.resources.map(e, + { + "message": e.encode_json(), + } + ) + : + [], + "start_time": start_time, + "next": { + ?"page_token": body.?meta.pagination.after, + }, + "cursor": { + // The records are sorted in ascending order based on the value of updated_timestamp, + // in the next interval we start from the last event (newest) time. + ?"last_timestamp": (has(body.resources) && body.resources.size() > 0) ? + optional.of(timestamp(body.resources[size(body.resources) - 1].updated_timestamp).format(time_layout.RFC3339Nano)) + : + state.?cursor.last_timestamp, + }, + "want_more": has(body.?meta.pagination.after), + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/alerts/combined/alerts/v1:" + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "next": {}, + "want_more": false, + } + ) + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 0000000000..ddc83b719f --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,3079 @@ +--- +description: Pipeline for processing Alert logs. +processors: + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - set: + field: event.kind + tag: set_event_kind + value: alert + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + tag: append_error_message_cea45f41 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.category + tag: set_event_category_process + value: ['process'] + if: ctx.json?.process_id != null || ctx.json?.triggering_process_graph_id != null + - set: + field: event.type + tag: set_event_type_start + value: ['start'] + if: ctx.json?.process_start_time != null + - convert: + field: json.active_directory_authentication_method + tag: convert_active_directory_authentication_method_to_long + target_field: crowdstrike.alert.active_directory_authentication_method + type: long + if: ctx.json?.active_directory_authentication_method != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_66658c56 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.activity_browser + tag: rename_activity_browser + target_field: crowdstrike.alert.activity.browser + ignore_missing: true + - rename: + field: json.activity_device + tag: rename_activity_device + target_field: crowdstrike.alert.activity.device + ignore_missing: true + - rename: + field: json.activity_id + tag: rename_activity_id + target_field: crowdstrike.alert.activity.id + ignore_missing: true + - rename: + field: json.activity_os + tag: rename_activity_os + target_field: crowdstrike.alert.activity.os + ignore_missing: true + - rename: + field: json.agent_id + tag: rename_agent_id + target_field: crowdstrike.alert.agent_id + ignore_missing: true + - set: + field: host.id + tag: set_host_id_from_alert_agent_id + copy_from: crowdstrike.alert.agent_id + ignore_empty_value: true + - rename: + field: json.agent_scan_id + tag: rename_agent_scan_id + target_field: crowdstrike.alert.agent_scan_id + ignore_missing: true + - rename: + field: json.aggregate_id + tag: rename_aggregate_id + target_field: crowdstrike.alert.aggregate_id + ignore_missing: true + - convert: + field: json.alert_attributes + tag: convert_alert_attributes_to_long + target_field: crowdstrike.alert.alert_attributes + type: long + if: ctx.json?.alert_attributes != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_70221132 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.alleged_filetype + tag: rename_alleged_filetype + target_field: crowdstrike.alert.alleged_filetype + ignore_missing: true + - rename: + field: json.assigned_to_name + tag: rename_assigned_to_name + target_field: crowdstrike.alert.assigned_to.name + ignore_missing: true + - rename: + field: json.assigned_to_uid + tag: rename_assigned_to_uid + target_field: crowdstrike.alert.assigned_to.uid + ignore_missing: true + - append: + field: related.user + tag: append_crowdstrike_alert_assigned_to_uid_into_related_user + value: '{{{crowdstrike.alert.assigned_to.uid}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.assigned_to?.uid != null + - rename: + field: json.assigned_to_uuid + tag: rename_assigned_to_uuid + target_field: crowdstrike.alert.assigned_to.uuid + ignore_missing: true + - foreach: + tag: foreach_json_associated_files_6443225a + field: json.associated_files + if: ctx.json?.associated_files instanceof List + processor: + append: + field: related.hash + tag: append_associated_files_sha256_into_related_hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + - rename: + field: json.associated_files + tag: rename_associated_files + target_field: crowdstrike.alert.associated_files + ignore_missing: true + - rename: + field: json.child_process_ids + tag: rename_child_process_ids + target_field: crowdstrike.alert.child_process_ids + ignore_missing: true + - rename: + field: json.cid + tag: rename_cid + target_field: crowdstrike.alert.cid + ignore_missing: true + - convert: + field: json.cloud_indicator + tag: convert_cloud_indicator_to_boolean + target_field: crowdstrike.alert.cloud_indicator + type: boolean + if: ctx.json?.cloud_indicator != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_3388312c + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.prevented + tag: convert_prevented_to_boolean + target_field: crowdstrike.alert.prevented + type: boolean + if: ctx.json?.prevented != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_fd4efaf4 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.worker_node_name + tag: rename_worker_node_name + target_field: crowdstrike.alert.worker_node_name + ignore_missing: true + - rename: + field: json.cmdline + tag: rename_cmdline + target_field: crowdstrike.alert.cmdline + ignore_missing: true + - rename: + field: json.command_line + tag: rename_command_line + target_field: crowdstrike.alert.command_line + ignore_missing: true + - set: + field: process.command_line + tag: set_process_command_line + copy_from: crowdstrike.alert.command_line + ignore_empty_value: true + - rename: + field: json.comment + tag: rename_comment + target_field: crowdstrike.alert.comment + ignore_missing: true + - rename: + field: json.composite_id + tag: rename_composite_id + target_field: crowdstrike.alert.composite_id + ignore_missing: true + - convert: + field: json.confidence + tag: convert_confidence_to_long + target_field: crowdstrike.alert.confidence + type: long + if: ctx.json?.confidence != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_056ec0de + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.context_timestamp + tag: date_context_timestamp + target_field: crowdstrike.alert.context_timestamp + formats: + - ISO8601 + if: ctx.json?.context_timestamp != null && ctx.json.context_timestamp != '' + on_failure: + - append: + tag: append_error_message_4c68faac + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.control_graph_id + tag: rename_control_graph_id + target_field: crowdstrike.alert.control_graph_id + ignore_missing: true + - rename: + field: json.crawl_edge_ids.Sensor + tag: rename_crawl_edge_ids_Sensor + target_field: crowdstrike.alert.crawl_edge_ids.Sensor + ignore_missing: true + - rename: + field: json.crawl_vertex_ids.Sensor + tag: rename_crawl_vertex_ids_Sensor + target_field: crowdstrike.alert.crawl_vertex_ids.Sensor + ignore_missing: true + - date: + field: json.crawled_timestamp + tag: date_crawled_timestamp + target_field: crowdstrike.alert.crawled_timestamp + formats: + - ISO8601 + if: ctx.json?.crawled_timestamp != null && ctx.json.crawled_timestamp != '' + on_failure: + - append: + tag: append_error_message_fc8893f7 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.created_timestamp + tag: date_created_timestamp + target_field: crowdstrike.alert.created_timestamp + formats: + - ISO8601 + if: ctx.json?.created_timestamp != null && ctx.json.created_timestamp != '' + on_failure: + - append: + tag: append_error_message_ca63e3f9 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.data_domains + tag: rename_data_domains + target_field: crowdstrike.alert.data_domains + ignore_missing: true + - rename: + field: json.description + tag: rename_description + target_field: crowdstrike.alert.description + ignore_missing: true + - set: + field: message + tag: set_message_from_alert_description + copy_from: crowdstrike.alert.description + ignore_empty_value: true + - rename: + field: json.detect_type + tag: rename_detect_type + target_field: crowdstrike.alert.detect_type + ignore_missing: true + - convert: + field: json.device.agent_load_flags + tag: convert_device_agent_load_flags_to_long + target_field: crowdstrike.alert.device.agent_load_flags + type: long + if: ctx.json?.device?.agent_load_flags != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_b98af92a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.device.agent_local_time + tag: date_device_agent_local_time + target_field: crowdstrike.alert.device.agent_local_time + formats: + - ISO8601 + if: ctx.json?.device?.agent_local_time != null && ctx.json.device.agent_local_time != '' + on_failure: + - append: + tag: append_error_message_538d3a21 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device.agent_version + tag: rename_device_agent_version + target_field: crowdstrike.alert.device.agent_version + ignore_missing: true + - rename: + field: json.device.bios_manufacturer + tag: rename_device_bios_manufacturer + target_field: crowdstrike.alert.device.bios_manufacturer + ignore_missing: true + - rename: + field: json.device.bios_version + tag: rename_device_bios_version + target_field: crowdstrike.alert.device.bios_version + ignore_missing: true + - rename: + field: json.device.cid + tag: rename_device_cid + target_field: crowdstrike.alert.device.cid + ignore_missing: true + - rename: + field: json.device.config_id_base + tag: rename_device_config_id_base + target_field: crowdstrike.alert.device.config_id_base + ignore_missing: true + - rename: + field: json.device.config_id_build + tag: rename_device_config_id_build + target_field: crowdstrike.alert.device.config_id_build + ignore_missing: true + - convert: + field: json.device.config_id_platform + tag: convert_device_config_id_platform_to_long + target_field: crowdstrike.alert.device.config_id_platform + type: long + if: ctx.json?.device?.config_id_platform != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_f3e43e5e + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.device.external_ip + tag: convert_device_external_ip_to_ip + target_field: crowdstrike.alert.device.external_ip + type: ip + ignore_missing: true + if: ctx.json?.device?.external_ip != null && ctx.json.device.external_ip != '' + on_failure: + - append: + tag: append_error_message_42084d15 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_crowdstrike_alert_device_external_ip_into_related_ip + value: '{{{crowdstrike.alert.device.external_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.external_ip != null + - append: + field: host.ip + tag: append_crowdstrike_alert_device_external_ip_into_host_ip + value: '{{{crowdstrike.alert.device.external_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.external_ip != null + - date: + field: json.device.first_seen + tag: date_device_first_seen + target_field: crowdstrike.alert.device.first_seen + formats: + - ISO8601 + if: ctx.json?.device?.first_seen != null && ctx.json.device.first_seen != '' + on_failure: + - append: + tag: append_error_message_aea505b6 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device.groups + tag: rename_device_groups + target_field: crowdstrike.alert.device.groups + ignore_missing: true + - rename: + field: json.device.hostinfo.active_directory_dn_display + tag: rename_device_hostinfo_active_directory_dn_display + target_field: crowdstrike.alert.device.hostinfo.active_directory_dn_display + ignore_missing: true + - rename: + field: json.device.hostinfo.domain + tag: rename_device_hostinfo_domain + target_field: crowdstrike.alert.device.hostinfo.domain + ignore_missing: true + - set: + field: host.domain + tag: set_host_domain_from_alert_device_hostinfo_domain + copy_from: crowdstrike.alert.device.hostinfo.domain + ignore_empty_value: true + - append: + tag: append_related_hosts_2d0901db + field: related.hosts + value: '{{{host.domain}}}' + allow_duplicates: false + if: ctx.host?.domain != null + - rename: + field: json.device.hostname + tag: rename_device_hostname + target_field: crowdstrike.alert.device.hostname + ignore_missing: true + - set: + field: host.hostname + tag: set_host_hostname_from_alert_device_hostname + copy_from: crowdstrike.alert.device.hostname + ignore_empty_value: true + - append: + tag: append_related_hosts_ca923905 + field: related.hosts + value: '{{{host.hostname}}}' + allow_duplicates: false + if: ctx.host?.hostname != null + - rename: + field: json.device.device_id + tag: rename_device_device_id + target_field: crowdstrike.alert.device.id + ignore_missing: true + - set: + field: device.id + tag: set_device_id_from_alert_device_id + copy_from: crowdstrike.alert.device.id + ignore_empty_value: true + - date: + field: json.device.last_seen + tag: date_device_last_seen + target_field: crowdstrike.alert.device.last_seen + formats: + - ISO8601 + if: ctx.json?.device?.last_seen != null && ctx.json.device.last_seen != '' + on_failure: + - append: + tag: append_error_message_c4fe6db0 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.device.local_ip + tag: convert_device_local_ip_to_ip + target_field: crowdstrike.alert.device.local_ip + type: ip + ignore_missing: true + if: ctx.json?.device?.local_ip != null && ctx.json.device.local_ip != '' + on_failure: + - append: + tag: append_error_message_90137be3 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_crowdstrike_alert_device_local_ip_into_related_ip + value: '{{{crowdstrike.alert.device.local_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.local_ip != null + - append: + field: host.ip + tag: append_crowdstrike_alert_device_local_ip_into_host_ip + value: '{{{crowdstrike.alert.device.local_ip}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.local_ip != null + - gsub: + field: json.device.mac_address + tag: gsub_device_mac_address + pattern: '[:.]' + replacement: '-' + target_field: crowdstrike.alert.device.mac_address + ignore_missing: true + on_failure: + - append: + tag: append_error_message_d911be70 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - uppercase: + field: crowdstrike.alert.device.mac_address + tag: uppercase_device_mac_address + ignore_missing: true + if: ctx.crowdstrike?.alert?.device?.mac_address != '' + on_failure: + - append: + tag: append_error_message_2fa36041 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: host.mac + value: '{{{crowdstrike.alert.device.mac_address}}}' + tag: append_device_mac_address_into_host_mac + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.mac_address != null + - rename: + field: json.device.machine_domain + tag: rename_device_machine_domain + target_field: crowdstrike.alert.device.machine_domain + ignore_missing: true + - append: + tag: append_related_hosts_9c327391 + field: related.hosts + value: '{{{crowdstrike.alert.device.machine_domain}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.device?.machine_domain != null + - rename: + field: json.device.major_version + tag: rename_device_major_version + target_field: crowdstrike.alert.device.major_version + ignore_missing: true + - rename: + field: json.device.minor_version + tag: rename_device_minor_version + target_field: crowdstrike.alert.device.minor_version + ignore_missing: true + - date: + field: json.device.modified_timestamp + tag: date_device_modified_timestamp + target_field: crowdstrike.alert.device.modified_timestamp + formats: + - ISO8601 + if: ctx.json?.device?.modified_timestamp != null && ctx.json.device.modified_timestamp != '' + on_failure: + - append: + tag: append_error_message_f62d2786 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.device.os_version + tag: rename_device_os_version + target_field: crowdstrike.alert.device.os_version + ignore_missing: true + - set: + field: host.os.full + tag: set_host_os_full_from_alert_device_os_version + copy_from: crowdstrike.alert.device.os_version + ignore_empty_value: true + - rename: + field: json.device.ou + tag: rename_device_ou + target_field: crowdstrike.alert.device.ou + ignore_missing: true + - rename: + field: json.device.platform_id + tag: rename_device_platform_id + target_field: crowdstrike.alert.device.platform_id + ignore_missing: true + - rename: + field: json.device.platform_name + tag: rename_device_platform_name + target_field: crowdstrike.alert.device.platform_name + ignore_missing: true + - set: + field: host.os.platform + tag: set_host_os_platform_from_alert_device_platform_name + copy_from: crowdstrike.alert.device.platform_name + ignore_empty_value: true + - rename: + field: json.device.pod_labels + tag: rename_device_pod_labels + target_field: crowdstrike.alert.device.pod_labels + ignore_missing: true + - rename: + field: json.device.product_type + tag: rename_device_product_type + target_field: crowdstrike.alert.device.product_type + ignore_missing: true + - rename: + field: json.device.product_type_desc + tag: rename_device_product_type_desc + target_field: crowdstrike.alert.device.product_type_desc + ignore_missing: true + - rename: + field: json.device.site_name + tag: rename_device_site_name + target_field: crowdstrike.alert.device.site_name + ignore_missing: true + - rename: + field: json.device.status + tag: rename_device_status + target_field: crowdstrike.alert.device.status + ignore_missing: true + - rename: + field: json.device.system_manufacturer + tag: rename_device_system_manufacturer + target_field: crowdstrike.alert.device.system_manufacturer + ignore_missing: true + - set: + field: device.manufacturer + tag: set_device_manufacturer + copy_from: crowdstrike.alert.device.system_manufacturer + ignore_empty_value: true + - rename: + field: json.device.system_product_name + tag: rename_device_system_product_name + target_field: crowdstrike.alert.device.system_product_name + ignore_missing: true + - set: + field: device.model.name + tag: set_device_model_name + copy_from: crowdstrike.alert.device.system_product_name + ignore_empty_value: true + - rename: + field: json.device.tags + tag: rename_device_tags + target_field: crowdstrike.alert.device.tags + ignore_missing: true + - foreach: + tag: foreach_crowdstrike_alert_device_tags_a1915566 + field: crowdstrike.alert.device.tags + if: ctx.crowdstrike?.alert?.device?.tags instanceof List + processor: + append: + field: tags + tag: append_device_tags_into_tags + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.display_name + tag: rename_display_name + target_field: crowdstrike.alert.display_name + ignore_missing: true + - foreach: + tag: foreach_json_documents_accessed_afb565b7 + field: json.documents_accessed + if: ctx.json?.documents_accessed instanceof List + processor: + date: + field: _ingest._value.timestamp + tag: date_documents_accessed_timestamp + target_field: _ingest._value.timestamp + formats: + - UNIX + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - rename: + field: json.documents_accessed + tag: rename_documents_accessed + target_field: crowdstrike.alert.documents_accessed + ignore_missing: true + - convert: + field: json.email_sent + tag: convert_email_sent_to_boolean + target_field: crowdstrike.alert.email_sent + type: boolean + if: ctx.json?.email_sent != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_b088653e + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.end_time + tag: date_end_time + target_field: crowdstrike.alert.end_time + formats: + - ISO8601 + if: ctx.json?.end_time != null && ctx.json.end_time != '' + on_failure: + - append: + tag: append_error_message_2fdf0e8d + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.end + tag: set_event_end_from_alert_end_time + copy_from: crowdstrike.alert.end_time + ignore_empty_value: true + - rename: + field: json.event_id + tag: rename_event_id + target_field: crowdstrike.alert.event_id + ignore_missing: true + - foreach: + tag: foreach_json_executables_written_d270852a + field: json.executables_written + if: ctx.json?.executables_written instanceof List + processor: + date: + field: _ingest._value.timestamp + tag: date_executables_written_timestamp + target_field: _ingest._value.timestamp + formats: + - UNIX + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - rename: + field: json.executables_written + tag: rename_executables_written + target_field: crowdstrike.alert.executables_written + ignore_missing: true + - rename: + field: json.falcon_host_link + tag: rename_falcon_host_link + target_field: crowdstrike.alert.falcon_host_link + ignore_missing: true + - rename: + field: json.filename + tag: rename_filename + target_field: crowdstrike.alert.filename + ignore_missing: true + - set: + field: file.name + tag: set_file_name_from_alert_filename + copy_from: crowdstrike.alert.filename + ignore_empty_value: true + - set: + field: process.name + tag: set_process_name + copy_from: crowdstrike.alert.filename + ignore_empty_value: true + - rename: + field: json.filepath + tag: rename_filepath + target_field: crowdstrike.alert.filepath + ignore_missing: true + - set: + field: file.path + tag: set_file_path_from_alert_filepath + copy_from: crowdstrike.alert.filepath + ignore_empty_value: true + - set: + field: process.executable + tag: set_process_executable + copy_from: crowdstrike.alert.filepath + ignore_empty_value: true + - foreach: + tag: foreach_json_file_writes_c1fc43a1 + field: json.file_writes + if: ctx.json?.file_writes instanceof List + processor: + append: + field: related.hash + tag: append_file_writes_sha256_into_related_hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + - rename: + field: json.file_writes + tag: rename_file_writes + target_field: crowdstrike.alert.file_writes + ignore_missing: true + - foreach: + tag: foreach_json_files_accessed_df889ede + field: json.files_accessed + if: ctx.json?.files_accessed instanceof List + processor: + date: + field: _ingest._value.timestamp + tag: date_files_accessed_timestamp + target_field: _ingest._value.timestamp + formats: + - UNIX + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - rename: + field: json.files_accessed + tag: rename_files_accessed + target_field: crowdstrike.alert.files_accessed + ignore_missing: true + - foreach: + tag: foreach_json_files_written_4c004154 + field: json.files_written + if: ctx.json?.files_written instanceof List + processor: + date: + field: _ingest._value.timestamp + tag: date_files_written_timestamp + target_field: _ingest._value.timestamp + formats: + - UNIX + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - rename: + field: json.files_written + tag: rename_files_written + target_field: crowdstrike.alert.files_written + ignore_missing: true + - rename: + field: json.global_prevalence + tag: rename_global_prevalence + target_field: crowdstrike.alert.global_prevalence + ignore_missing: true + - rename: + field: json.grandparent_details.cmdline + tag: rename_grandparent_details_cmdline + target_field: crowdstrike.alert.grandparent_details.cmdline + ignore_missing: true + - rename: + field: json.grandparent_details.filename + tag: rename_grandparent_details_filename + target_field: crowdstrike.alert.grandparent_details.filename + ignore_missing: true + - rename: + field: json.grandparent_details.filepath + tag: rename_grandparent_details_filepath + target_field: crowdstrike.alert.grandparent_details.filepath + ignore_missing: true + - rename: + field: json.grandparent_details.local_process_id + tag: rename_grandparent_details_local_process_id + target_field: crowdstrike.alert.grandparent_details.local_process_id + ignore_missing: true + - rename: + field: json.grandparent_details.md5 + tag: rename_grandparent_details_md5 + target_field: crowdstrike.alert.grandparent_details.md5 + ignore_missing: true + - append: + tag: append_related_hash_649c6a84 + field: related.hash + value: '{{{crowdstrike.alert.grandparent_details.md5}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.md5 != null + - rename: + field: json.grandparent_details.process_graph_id + tag: rename_grandparent_details_process_graph_id + target_field: crowdstrike.alert.grandparent_details.process_graph_id + ignore_missing: true + - rename: + field: json.grandparent_details.process_id + tag: rename_grandparent_details_process_id + target_field: crowdstrike.alert.grandparent_details.process_id + ignore_missing: true + - rename: + field: json.grandparent_details.sha256 + tag: rename_grandparent_details_sha256 + target_field: crowdstrike.alert.grandparent_details.sha256 + ignore_missing: true + - append: + tag: append_related_hash_a759b902 + field: related.hash + value: '{{{crowdstrike.alert.grandparent_details.sha256}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.sha256 != null + - date: + field: json.grandparent_details.timestamp + tag: date_grandparent_details_timestamp + target_field: crowdstrike.alert.grandparent_details.timestamp + formats: + - ISO8601 + if: ctx.json?.grandparent_details?.timestamp != null && ctx.json.grandparent_details.timestamp != '' + on_failure: + - append: + tag: append_error_message_f54f16cd + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.grandparent_details.user_graph_id + tag: rename_grandparent_details_user_graph_id + target_field: crowdstrike.alert.grandparent_details.user_graph_id + ignore_missing: true + - append: + field: related.user + tag: append_user_graph_id_into_related_user + value: '{{{crowdstrike.alert.grandparent_details.user_graph_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.user_graph_id != null + - rename: + field: json.grandparent_details.user_id + tag: rename_grandparent_details_user_id + target_field: crowdstrike.alert.grandparent_details.user_id + ignore_missing: true + - append: + field: related.user + tag: append_grandparent_details_user_id_into_related_user + value: '{{{crowdstrike.alert.grandparent_details.user_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.user_id != null + - rename: + field: json.grandparent_details.user_name + tag: rename_grandparent_details_user_name + target_field: crowdstrike.alert.grandparent_details.user_name + ignore_missing: true + - append: + field: related.user + tag: append_grandparent_details_user_name_into_related_user + value: '{{{crowdstrike.alert.grandparent_details.user_name}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.grandparent_details?.user_name != null + - convert: + field: json.has_script_or_module_ioc + tag: convert_has_script_or_module_ioc_to_boolean + target_field: crowdstrike.alert.has_script_or_module_ioc + type: boolean + if: ctx.json?.has_script_or_module_ioc != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_6b069dda + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.host_name + tag: rename_host_name + target_field: crowdstrike.alert.host_name + ignore_missing: true + - set: + field: host.name + tag: set_host_name_from_alert_host_name + copy_from: crowdstrike.alert.host_name + ignore_empty_value: true + - append: + tag: append_related_hosts_452ef445 + field: related.hosts + value: '{{{host.name}}}' + allow_duplicates: false + if: ctx.host?.name != null + - rename: + field: json.host_type + tag: rename_host_type + target_field: crowdstrike.alert.host_type + ignore_missing: true + - set: + field: host.type + tag: set_host_type_from_alert_host_type + copy_from: crowdstrike.alert.host_type + ignore_empty_value: true + - script: + tag: reconstruct_has_script_or_module_ioc_from_ioc_context + lang: painless + if: ctx.crowdstrike?.alert?.has_script_or_module_ioc == null && ctx.json?.ioc_context instanceof List + source: | + if (ctx.crowdstrike == null) { + ctx.crowdstrike = [:]; + } + if (ctx.crowdstrike.alert == null) { + ctx.crowdstrike.alert = [:]; + } + for (def c: ctx.json.ioc_context) { + if (c.type == 'module' || c.type == 'script') { + ctx.crowdstrike.alert.has_script_or_module_ioc = true; + return; + } + } + ctx.crowdstrike.alert.has_script_or_module_ioc = false; + - rename: + field: json.id + tag: rename_id + target_field: crowdstrike.alert.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_alert_id + copy_from: crowdstrike.alert.id + ignore_empty_value: true + - convert: + field: json.idp_policy_enforced_externally + tag: convert_idp_policy_enforced_externally_to_long + target_field: crowdstrike.alert.idp_policy.enforced_externally + type: long + if: ctx.json?.idp_policy_enforced_externally != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_e21c42b5 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.idp_policy_mfa_factor_type + tag: convert_idp_policy_mfa_factor_type_to_long + target_field: crowdstrike.alert.idp_policy.mfa_factor_type + type: long + if: ctx.json?.idp_policy_mfa_factor_type != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_922f1ac1 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.idp_policy_mfa_provider + tag: convert_idp_policy_mfa_provider_to_long + target_field: crowdstrike.alert.idp_policy.mfa_provider + type: long + if: ctx.json?.idp_policy_mfa_provider != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_c078ba79 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.idp_policy_rule_action + tag: convert_idp_policy_rule_action_to_long + target_field: crowdstrike.alert.idp_policy.rule_action + type: long + if: ctx.json?.idp_policy_rule_action != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_478ac271 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.idp_policy_rule_trigger + tag: convert_idp_policy_rule_trigger_to_long + target_field: crowdstrike.alert.idp_policy.rule_trigger + type: long + if: ctx.json?.idp_policy_rule_trigger != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_72eb86c9 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.idp_policy_rule_id + tag: rename_idp_policy_rule_id + target_field: crowdstrike.alert.idp_policy.rule_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_alert_idp_policy_rule_id + copy_from: crowdstrike.alert.idp_policy.rule_id + ignore_empty_value: true + - rename: + field: json.idp_policy_rule_name + tag: rename_idp_policy_rule_name + target_field: crowdstrike.alert.idp_policy.rule_name + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name_from_alert_idp_policy_rule_name + copy_from: crowdstrike.alert.idp_policy.rule_name + ignore_empty_value: true + - rename: + field: json.image_file_name + tag: rename_image_file_name + target_field: crowdstrike.alert.image_file_name + ignore_missing: true + - set: + field: file.path + tag: set_file_path_from_alert_image_file_name + copy_from: crowdstrike.alert.image_file_name + ignore_empty_value: true + - date: + field: json.incident.created + tag: date_incident_created + target_field: crowdstrike.alert.incident.created + formats: + - yyyy-MM-dd'T'HH:mm:ss'Z' + if: ctx.json?.incident?.created != null && ctx.json.incident.created != '' + on_failure: + - append: + tag: append_error_message_1b08aaf8 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.incident.end + tag: date_incident_end + target_field: crowdstrike.alert.incident.end + formats: + - yyyy-MM-dd'T'HH:mm:ss'Z' + if: ctx.json?.incident?.end != null && ctx.json.incident.end != '' + on_failure: + - append: + tag: append_error_message_9682a107 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.incident.id + tag: rename_incident_id + target_field: crowdstrike.alert.incident.id + ignore_missing: true + - convert: + field: json.incident.score + tag: convert_incident_score_to_double + target_field: crowdstrike.alert.incident.score + type: double + if: ctx.json?.incident?.score != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_4fbe1f42 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.incident.start + tag: date_incident_start + target_field: crowdstrike.alert.incident.start + formats: + - yyyy-MM-dd'T'HH:mm:ss'Z' + if: ctx.json?.incident?.start != null && ctx.json.incident.start != '' + on_failure: + - append: + tag: append_error_message_8f19278c + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - rename: + field: json.indicator_id + tag: rename_indicator_id + target_field: crowdstrike.alert.indicator_id + ignore_missing: true + - rename: + field: json.ioc_context + tag: rename_ioc_context + target_field: crowdstrike.alert.ioc_context + ignore_missing: true + - foreach: + tag: foreach_crowdstrike_alert_ioc_context_3f9e797e + field: crowdstrike.alert.ioc_context + if: ctx.crowdstrike?.alert?.ioc_context instanceof List + ignore_failure: true + processor: + append: + field: related.hash + tag: append_ioc_context_md5_to_related_hash + value: '{{{_ingest._value.md5}}}' + allow_duplicates: false + - foreach: + tag: foreach_crowdstrike_alert_ioc_context_f5ad7768 + field: crowdstrike.alert.ioc_context + if: ctx.crowdstrike?.alert?.ioc_context instanceof List + ignore_failure: true + processor: + append: + field: related.hash + tag: append_ioc_context_sha256_to_related_hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + - rename: + field: json.ioc_description + tag: rename_ioc_description + target_field: crowdstrike.alert.ioc_description + ignore_missing: true + - rename: + field: json.ioc_source + tag: rename_ioc_source + target_field: crowdstrike.alert.ioc_source + ignore_missing: true + - rename: + field: json.ioc_type + tag: rename_ioc_type + target_field: crowdstrike.alert.ioc_type + ignore_missing: true + - rename: + field: json.ioc_value + tag: rename_ioc_value + target_field: crowdstrike.alert.ioc_value + ignore_missing: true + - rename: + field: json.ioc_values + tag: rename_ioc_values + target_field: crowdstrike.alert.ioc_values + ignore_missing: true + - append: + field: crowdstrike.alert.ioc_values + tag: append_ioc_value_to_ioc_values + value: '{{{crowdstrike.alert.ioc_value}}}' + if: ctx.crowdstrike?.alert?.ioc_value != null + allow_duplicates: false + - foreach: + tag: reconstruct_ioc_values_from_ioc_context + field: crowdstrike.alert.ioc_context + if: ctx.crowdstrike?.alert?.ioc_context instanceof List + ignore_failure: true + processor: + append: + field: crowdstrike.alert.ioc_values + tag: append_ioc_context_ioc_value_to_ioc_values + value: '{{{_ingest._value.ioc_value}}}' + allow_duplicates: false + - convert: + field: json.is_synthetic_quarantine_disposition + tag: convert_is_synthetic_quarantine_disposition_to_boolean + target_field: crowdstrike.alert.is_synthetic_quarantine_disposition + type: boolean + if: ctx.json?.is_synthetic_quarantine_disposition != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_0ae0c1e8 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + tag: reconstruct_is_synthetic_quarantine_disposition_from_pattern_disposition_details + lang: painless + if: ctx.crowdstrike?.alert?.is_synthetic_quarantine_disposition == null && ctx.json?.pattern_disposition_details instanceof Map + source: | + if (ctx.crowdstrike == null) { + ctx.crowdstrike = [:]; + } + if (ctx.crowdstrike.alert == null) { + ctx.crowdstrike.alert = [:]; + } + for (def d: ctx.json.pattern_disposition_details.entrySet()) { + if (d.getKey() == 'quarantine_file') { + ctx.crowdstrike.alert.is_synthetic_quarantine_disposition = d.getValue(); + return; + } + } + ctx.crowdstrike.alert.is_synthetic_quarantine_disposition = false; + - convert: + field: json.ldap_search_query_attack + tag: convert_ldap_search_query_attack_to_long + target_field: crowdstrike.alert.ldap_search_query_attack + type: long + if: ctx.json?.ldap_search_query_attack != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_6367d526 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.local_prevalence + tag: rename_local_prevalence + target_field: crowdstrike.alert.local_prevalence + ignore_missing: true + - rename: + field: json.local_process_id + tag: rename_local_process_id + target_field: crowdstrike.alert.local_process_id + ignore_missing: true + - rename: + field: json.location_country_code + tag: rename_location_country_code + target_field: crowdstrike.alert.location_country_code + ignore_missing: true + - set: + field: observer.geo.country_iso_code + tag: set_observer_geo_country_iso_code_from_alert_location_country_code + copy_from: crowdstrike.alert.location_country_code + ignore_empty_value: true + - convert: + field: json.location_latitude_as_int + tag: convert_location_latitude_as_int_to_long + target_field: crowdstrike.alert.location_latitude_as_int + type: long + if: ctx.json?.location_latitude_as_int != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_ce2b0cb6 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.location_longitude_as_int + tag: convert_location_longitude_as_int_to_long + target_field: crowdstrike.alert.location_longitude_as_int + type: long + if: ctx.json?.location_longitude_as_int != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_6174bcc0 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: combine latitude and longitude. + tag: script_to_combine_latitude_and_longitude + lang: painless + if: ctx.crowdstrike?.alert?.location_latitude_as_int != null && ctx.crowdstrike?.alert?.location_longitude_as_int != null + source: |- + def location = new HashMap(); + location.put('lat', ctx.crowdstrike.alert.location_latitude_as_int); + location.put('lon', ctx.crowdstrike.alert.location_longitude_as_int); + if(ctx.observer == null) { + ctx.put('observer', new HashMap()); + } + if(ctx.observer.geo == null){ + ctx.observer.put('geo', new HashMap()); + } + ctx.observer.geo.location = location; + - rename: + field: json.logon_domain + tag: rename_logon_domain + target_field: crowdstrike.alert.logon_domain + ignore_missing: true + - rename: + field: json.md5 + tag: rename_md5 + target_field: crowdstrike.alert.md5 + ignore_missing: true + - set: + field: process.hash.md5 + tag: set_process_hash_md5 + copy_from: crowdstrike.alert.md5 + ignore_empty_value: true + - append: + tag: append_related_hash_a08aaaeb + field: related.hash + value: '{{{crowdstrike.alert.md5}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.md5 != null + - rename: + field: json.model_anomaly_indicators + tag: rename_model_anomaly_indicators + target_field: crowdstrike.alert.model_anomaly_indicators + ignore_missing: true + - rename: + field: json.name + tag: rename_name + target_field: crowdstrike.alert.name + ignore_missing: true + - foreach: + tag: foreach_json_network_accesses_ff581076 + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + date: + field: _ingest._value.access_timestamp + tag: date_network_accesses_access_timestamp + target_field: _ingest._value.access_timestamp + formats: + - UNIX + - UNIX_MS + on_failure: + - remove: + field: _ingest._value.access_timestamp + ignore_missing: true + - foreach: + tag: foreach_json_network_accesses_318ca723 + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + convert: + field: _ingest._value.access_type + tag: convert_network_accesses_access_type_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.access_type + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_json_network_accesses_1e51a8d3 + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + convert: + field: _ingest._value.isIPV6 + tag: convert_network_accesses_isIPV6_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.isIPV6 + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_json_network_accesses_1ede2c2a + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + convert: + field: _ingest._value.local_address + tag: convert_network_accesses_local_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.local_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_json_network_accesses_3fff7cf5 + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + append: + field: related.ip + tag: append_network_accesses_local_address_into_related_ip + value: '{{{_ingest._value.local_address}}}' + allow_duplicates: false + - foreach: + tag: foreach_json_network_accesses_7d5dd5fd + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + convert: + field: _ingest._value.local_port + tag: convert_network_accesses_local_port_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.local_port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_json_network_accesses_4b460423 + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + convert: + field: _ingest._value.remote_address + tag: convert_network_accesses_remote_address_to_ip + type: ip + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.remote_address + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + tag: foreach_json_network_accesses_5f45fe37 + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + append: + field: related.ip + tag: append_network_accesses_remote_address_into_related_ip + value: '{{{_ingest._value.remote_address}}}' + allow_duplicates: false + - foreach: + tag: foreach_json_network_accesses_7a97418a + field: json.network_accesses + if: ctx.json?.network_accesses instanceof List + processor: + convert: + field: _ingest._value.remote_port + tag: convert_network_accesses_remote_port_to_long + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.remote_port + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.network_accesses + tag: rename_network_accesses + target_field: crowdstrike.alert.network_accesses + ignore_missing: true + - rename: + field: json.objective + tag: rename_objective + target_field: crowdstrike.alert.objective + ignore_missing: true + - rename: + field: json.operating_system + tag: rename_operating_system + target_field: crowdstrike.alert.operating_system + ignore_missing: true + - set: + field: host.os.name + tag: set_host_os_name_from_alert_operating_system + copy_from: crowdstrike.alert.operating_system + ignore_empty_value: true + - script: + description: Dynamically set host.os.type values. + tag: script_map_host_os_type + lang: painless + params: + os_type: + - linux + - macos + - unix + - windows + - ios + - android + source: | + if (ctx.crowdstrike?.alert?.device?.platform_name != null) { + String platform_name = ctx.crowdstrike.alert.device.platform_name.toLowerCase(); + for (String os: params.os_type) { + if (platform_name.contains(os)) { + ctx.host.os.put('type', os); + return; + } + } + } else if (ctx.crowdstrike?.alert?.operating_system != null) { + String operating_system = ctx.crowdstrike.alert.operating_system.toLowerCase(); + for (String os: params.os_type) { + if (operating_system.contains(os)) { + ctx.host.os.put('type', os); + return; + } + } + } + - rename: + field: json.os_name + tag: rename_os_name + target_field: crowdstrike.alert.os_name + ignore_missing: true + - set: + field: host.os.family + tag: set_host_os_family_from_alert_os_name + copy_from: crowdstrike.alert.os_name + ignore_empty_value: true + - rename: + field: json.parent_details.cmdline + tag: rename_parent_details_cmdline + target_field: crowdstrike.alert.parent_details.cmdline + ignore_missing: true + - set: + field: process.parent.command_line + tag: set_process_parent_command_line_from_alert_parent_details_cmdline + copy_from: crowdstrike.alert.parent_details.cmdline + ignore_empty_value: true + - rename: + field: json.parent_details.filename + tag: rename_parent_details_filename + target_field: crowdstrike.alert.parent_details.filename + ignore_missing: true + - set: + field: process.parent.name + tag: set_process_parent_name + copy_from: crowdstrike.alert.parent_details.filename + ignore_empty_value: true + - rename: + field: json.parent_details.filepath + tag: rename_parent_details_filepath + target_field: crowdstrike.alert.parent_details.filepath + ignore_missing: true + - set: + field: process.parent.executable + tag: set_process_parent_executable + copy_from: crowdstrike.alert.parent_details.filepath + ignore_empty_value: true + - rename: + field: json.parent_details.local_process_id + tag: rename_parent_details_local_process_id + target_field: crowdstrike.alert.parent_details.local_process_id + ignore_missing: true + - rename: + field: json.parent_details.md5 + tag: rename_parent_details_md5 + target_field: crowdstrike.alert.parent_details.md5 + ignore_missing: true + - append: + tag: append_related_hash_ed393c44 + field: related.hash + value: '{{{crowdstrike.alert.parent_details.md5}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.md5 != null + - set: + field: process.parent.hash.md5 + tag: set_process_parent_hash_md5_from_alert_parent_details_md5 + copy_from: crowdstrike.alert.parent_details.md5 + ignore_empty_value: true + - rename: + field: json.parent_details.process_graph_id + tag: rename_parent_details_process_graph_id + target_field: crowdstrike.alert.parent_details.process_graph_id + ignore_missing: true + - rename: + field: json.parent_details.process_id + tag: rename_parent_details_process_id + target_field: crowdstrike.alert.parent_details.process_id + ignore_missing: true + - rename: + field: json.parent_details.sha256 + tag: rename_parent_details_sha256 + target_field: crowdstrike.alert.parent_details.sha256 + ignore_missing: true + - set: + field: process.parent.hash.sha256 + tag: set_process_parent_hash_sha256_from_alert_parent_details_sha256 + copy_from: crowdstrike.alert.parent_details.sha256 + ignore_empty_value: true + - append: + tag: append_related_hash_94e1cdf8 + field: related.hash + value: '{{{crowdstrike.alert.parent_details.sha256}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.sha256 != null + - date: + field: json.parent_details.timestamp + tag: date_parent_details_timestamp + target_field: crowdstrike.alert.parent_details.timestamp + formats: + - ISO8601 + if: ctx.json?.parent_details?.timestamp != null && ctx.json.parent_details.timestamp != '' + on_failure: + - append: + tag: append_error_message_a27d7807 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.parent_details.user_graph_id + tag: rename_parent_details_user_graph_id + target_field: crowdstrike.alert.parent_details.user_graph_id + ignore_missing: true + - append: + field: related.user + tag: append_parent_details_user_graph_id_into_related_user + value: '{{{crowdstrike.alert.parent_details.user_graph_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.user_graph_id != null + - rename: + field: json.parent_details.user_id + tag: rename_parent_details_user_id + target_field: crowdstrike.alert.parent_details.user_id + ignore_missing: true + - set: + field: process.user.id + tag: set_process_user_id_from_alert_parent_details_user_id + copy_from: crowdstrike.alert.parent_details.user_id + ignore_empty_value: true + - rename: + field: json.parent_details.user_name + tag: rename_parent_details_user_name + target_field: crowdstrike.alert.parent_details.user_name + ignore_missing: true + - set: + field: process.user.name + tag: set_process_user_name_from_alert_parent_details_user_name + copy_from: crowdstrike.alert.parent_details.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_parent_details_user_id_into_related_user + value: '{{{crowdstrike.alert.parent_details.user_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.user_id != null + - append: + field: related.user + tag: append_parent_details_user_name_into_related_user + value: '{{{crowdstrike.alert.parent_details.user_name}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.parent_details?.user_name != null + - rename: + field: json.parent_process_id + tag: rename_parent_process_id + target_field: crowdstrike.alert.parent_process_id + ignore_missing: true + - set: + field: process.parent.entity_id + tag: set_process_parent_entity_id + copy_from: crowdstrike.alert.parent_process_id + ignore_empty_value: true + - convert: + field: crowdstrike.alert.parent_process_id + tag: convert_alert_parent_process_id + target_field: process.parent.pid + type: long + if: ctx.crowdstrike?.alert?.parent_process_id != '' + ignore_missing: true + on_failure: + - append: + tag: append_error_message_4d8b91ba + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition + tag: convert_pattern_disposition_to_long + target_field: crowdstrike.alert.pattern_disposition + type: long + if: ctx.json?.pattern_disposition != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_6d9249e4 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.pattern_disposition_description + tag: rename_pattern_disposition_description + target_field: crowdstrike.alert.pattern_disposition_description + ignore_missing: true + - convert: + field: json.pattern_disposition_details.blocking_unsupported_or_disabled + tag: convert_pattern_disposition_details_blocking_unsupported_or_disabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.blocking_unsupported_or_disabled + type: boolean + if: ctx.json?.pattern_disposition_details?.blocking_unsupported_or_disabled != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_6c758146 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.bootup_safeguard_enabled + tag: convert_pattern_disposition_details_bootup_safeguard_enabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.bootup_safeguard_enabled + type: boolean + if: ctx.json?.pattern_disposition_details?.bootup_safeguard_enabled != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_d1b98da6 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.containment_file_system + tag: convert_pattern_disposition_details_containment_file_system_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.containment_file_system + type: boolean + if: ctx.json?.pattern_disposition_details?.containment_file_system != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_119c3892 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.critical_process_disabled + tag: convert_pattern_disposition_details_critical_process_disabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.critical_process_disabled + type: boolean + if: ctx.json?.pattern_disposition_details?.critical_process_disabled != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_6f96f132 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.detect + tag: convert_pattern_disposition_details_detect_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.detect + type: boolean + if: ctx.json?.pattern_disposition_details?.detect != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_7751ab8a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.fs_operation_blocked + tag: convert_pattern_disposition_details_fs_operation_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.fs_operation_blocked + type: boolean + if: ctx.json?.pattern_disposition_details?.fs_operation_blocked != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_61002fc2 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.handle_operation_downgraded + tag: convert_pattern_disposition_details_handle_operation_downgraded_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.handle_operation_downgraded + type: boolean + if: ctx.json?.pattern_disposition_details?.handle_operation_downgraded != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_a2ef9e8a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.inddet_mask + tag: convert_pattern_disposition_details_inddet_mask_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.inddet_mask + type: boolean + if: ctx.json?.pattern_disposition_details?.inddet_mask != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_bda6a766 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.indicator + tag: convert_pattern_disposition_details_indicator_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.indicator + type: boolean + if: ctx.json?.pattern_disposition_details?.indicator != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_ba747b92 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_action_failed + tag: convert_pattern_disposition_details_kill_action_failed_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_action_failed + type: boolean + if: ctx.json?.pattern_disposition_details?.kill_action_failed != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_e59d19d6 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_parent + tag: convert_pattern_disposition_details_kill_parent_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_parent + type: boolean + if: ctx.json?.pattern_disposition_details?.kill_parent != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_5d89abba + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_process + tag: convert_pattern_disposition_details_kill_process_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_process + type: boolean + if: ctx.json?.pattern_disposition_details?.kill_process != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_97b01cce + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.kill_subprocess + tag: convert_pattern_disposition_details_kill_subprocess_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.kill_subprocess + type: boolean + if: ctx.json?.pattern_disposition_details?.kill_subprocess != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_d3896f6a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.mfa_required + tag: convert_pattern_disposition_details_mfa_required_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.mfa_required + type: boolean + if: ctx.json?.pattern_disposition_details?.mfa_required != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_fe37ff02 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.operation_blocked + tag: convert_pattern_disposition_details_operation_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.operation_blocked + type: boolean + if: ctx.json?.pattern_disposition_details?.operation_blocked != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_0e672fd2 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.policy_disabled + tag: convert_pattern_disposition_details_policy_disabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.policy_disabled + type: boolean + if: ctx.json?.pattern_disposition_details?.policy_disabled != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_d2857342 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.prevention_provisioning_enabled + tag: convert_pattern_disposition_details_prevention_provisioning_enabled_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.prevention_provisioning_enabled + type: boolean + if: ctx.json?.pattern_disposition_details?.prevention_provisioning_enabled != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_32b4571a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.process_blocked + tag: convert_pattern_disposition_details_process_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.process_blocked + type: boolean + if: ctx.json?.pattern_disposition_details?.process_blocked != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_036aa0ae + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.quarantine_file + tag: convert_pattern_disposition_details_quarantine_file_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.quarantine_file + type: boolean + if: ctx.json?.pattern_disposition_details?.quarantine_file != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_61401cb2 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.quarantine_machine + tag: convert_pattern_disposition_details_quarantine_machine_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.quarantine_machine + type: boolean + if: ctx.json?.pattern_disposition_details?.quarantine_machine != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_1ef3462a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.registry_operation_blocked + tag: convert_pattern_disposition_details_registry_operation_blocked_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.registry_operation_blocked + type: boolean + if: ctx.json?.pattern_disposition_details?.registry_operation_blocked != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_d95082fa + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.response_action_already_applied + tag: convert_pattern_disposition_details_response_action_already_applied_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.response_action_already_applied + type: boolean + if: ctx.json?.pattern_disposition_details?.response_action_already_applied != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_37991dee + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.response_action_failed + tag: convert_pattern_disposition_details_response_action_failed_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.response_action_failed + type: boolean + if: ctx.json?.pattern_disposition_details?.response_action_failed != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_478de4d6 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.response_action_triggered + tag: convert_pattern_disposition_details_response_action_triggered_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.response_action_triggered + type: boolean + if: ctx.json?.pattern_disposition_details?.response_action_triggered != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_81752cea + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.rooting + tag: convert_pattern_disposition_details_rooting_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.rooting + type: boolean + if: ctx.json?.pattern_disposition_details?.rooting != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_706077de + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.sensor_only + tag: convert_pattern_disposition_details_sensor_only_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.sensor_only + type: boolean + if: ctx.json?.pattern_disposition_details?.sensor_only != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_f9fec482 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.suspend_parent + tag: convert_pattern_disposition_details_suspend_parent_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.suspend_parent + type: boolean + if: ctx.json?.pattern_disposition_details?.suspend_parent != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_2c62d45a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_disposition_details.suspend_process + tag: convert_pattern_disposition_details_suspend_process_to_boolean + target_field: crowdstrike.alert.pattern_disposition_details.suspend_process + type: boolean + if: ctx.json?.pattern_disposition_details?.suspend_process != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_40d4a60a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.pattern_id + tag: convert_pattern_id_to_string + target_field: crowdstrike.alert.pattern_id + type: string + ignore_missing: true + - rename: + field: json.platform + tag: rename_platform + target_field: crowdstrike.alert.platform + ignore_missing: true + - rename: + field: json.poly_id + tag: rename_poly_id + target_field: crowdstrike.alert.poly_id + ignore_missing: true + - date: + field: json.process_end_time + tag: date_process_end_time + target_field: crowdstrike.alert.process_end_time + formats: + - UNIX + - UNIX_MS + if: ctx.json?.process_end_time != null && ctx.json.process_end_time != '' + on_failure: + - append: + tag: append_error_message_ad80044e + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.end + tag: set_process_end + copy_from: crowdstrike.alert.process_end_time + ignore_empty_value: true + - rename: + field: json.process_id + tag: rename_process_id + target_field: crowdstrike.alert.process_id + ignore_missing: true + - set: + field: process.entity_id + tag: set_process_entity_id + copy_from: crowdstrike.alert.process_id + ignore_empty_value: true + - convert: + field: crowdstrike.alert.process_id + tag: convert_alert_process_id_to_long + target_field: process.pid + type: long + ignore_missing: true + if: ctx.crowdstrike?.alert?.process_id != '' + on_failure: + - append: + tag: append_error_message_67be768a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.process_start_time + tag: date_process_start_time + target_field: crowdstrike.alert.process_start_time + formats: + - UNIX + - UNIX_MS + if: ctx.json?.process_start_time != null && ctx.json.process_start_time != '' + on_failure: + - append: + tag: append_error_message_f0c61775 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: process.start + tag: set_process_start + copy_from: crowdstrike.alert.process_start_time + ignore_empty_value: true + - rename: + field: json.product + tag: rename_product + target_field: crowdstrike.alert.product + ignore_missing: true + - convert: + field: json.protocol_anomaly_classification + tag: convert_protocol_anomaly_classification_to_long + target_field: crowdstrike.alert.protocol_anomaly_classification + type: long + if: ctx.json?.protocol_anomaly_classification != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_587d0e0c + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.quarantined + tag: convert_quarantined_to_boolean + target_field: crowdstrike.alert.quarantined + type: boolean + if: ctx.json?.quarantined != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_bf2c729a + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.quarantined_files + tag: rename_quarantined_files + target_field: crowdstrike.alert.quarantined_files + ignore_missing: true + - foreach: + tag: foreach_crowdstrike_alert_quarantined_files_b20fbedf + field: crowdstrike.alert.quarantined_files + if: ctx.crowdstrike?.alert?.quarantined_files instanceof List + ignore_failure: true + processor: + append: + field: related.hash + tag: append_quarantined_files_to_related_hash + value: '{{{_ingest._value.sha256}}}' + allow_duplicates: false + - rename: + field: json.scan_id + tag: rename_scan_id + target_field: crowdstrike.alert.scan_id + ignore_missing: true + - rename: + field: json.scenario + tag: rename_scenario + target_field: crowdstrike.alert.scenario + ignore_missing: true + - convert: + field: json.seconds_to_resolved + tag: convert_seconds_to_resolved_to_long + target_field: crowdstrike.alert.seconds_to_resolved + type: long + if: ctx.json?.seconds_to_resolved != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_8af241e0 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.seconds_to_triaged + tag: convert_seconds_to_triaged_to_long + target_field: crowdstrike.alert.seconds_to_triaged + type: long + if: ctx.json?.seconds_to_triaged != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_f02749ca + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.severity + tag: convert_severity_to_long + target_field: crowdstrike.alert.severity + type: long + if: ctx.json?.severity != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_3dc98c2e + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.severity_name + tag: rename_severity_name + target_field: crowdstrike.alert.severity_name + ignore_missing: true + - script: + lang: painless + description: Script to set event.severity. + tag: set_event_severity_from_severity + if: ctx.crowdstrike?.alert?.severity instanceof long && ctx.crowdstrike.alert.severity_name == null + source: |- + long severity = ctx.crowdstrike.alert.severity; + if (0 <= severity && severity < 20) { + ctx.crowdstrike.alert.severity_name = "info"; + } else if (20 <= severity && severity < 40) { + ctx.crowdstrike.alert.severity_name = "low"; + } else if (40 <= severity && severity < 60) { + ctx.crowdstrike.alert.severity_name = "medium"; + } else if (60 <= severity && severity < 80) { + ctx.crowdstrike.alert.severity_name = "high"; + } else if (80 <= severity && severity <= 100) { + ctx.crowdstrike.alert.severity_name = "critical"; + } + on_failure: + - append: + tag: append_error_message_538cc735 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + description: Script to set event.severity. + tag: set_event_severity_from_severity_name + if: ctx.crowdstrike?.alert?.severity_name instanceof String + source: |- + ctx.event = ctx.event ?: [:]; + String risk_score_value = ctx.crowdstrike.alert.severity_name; + if (risk_score_value.equalsIgnoreCase("low") || risk_score_value.equalsIgnoreCase("info") || risk_score_value.equalsIgnoreCase("informational")) { + ctx.event.severity = 21; + } else if (risk_score_value.equalsIgnoreCase("medium")) { + ctx.event.severity = 47; + } else if (risk_score_value.equalsIgnoreCase("high")) { + ctx.event.severity = 73; + } else if (risk_score_value.equalsIgnoreCase("critical")) { + ctx.event.severity = 99; + } + on_failure: + - append: + tag: append_error_message_087c7251 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.sha1 + tag: rename_sha1 + target_field: crowdstrike.alert.sha1 + ignore_missing: true + - rename: + field: json.sha256 + tag: rename_sha256 + target_field: crowdstrike.alert.sha256 + ignore_missing: true + - set: + field: process.hash.sha1 + tag: set_process_hash_sha1 + copy_from: crowdstrike.alert.sha1 + ignore_empty_value: true + - set: + field: process.hash.sha256 + tag: set_process_hash_sha256 + copy_from: crowdstrike.alert.sha256 + ignore_empty_value: true + - append: + tag: append_related_hash_7730cb3f + field: related.hash + value: '{{{crowdstrike.alert.sha1}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.sha1 != null + - append: + tag: append_related_hash_5cf3d32b + field: related.hash + value: '{{{crowdstrike.alert.sha256}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.sha256 != null + - convert: + field: json.show_in_ui + tag: convert_show_in_ui_to_boolean + target_field: crowdstrike.alert.show_in_ui + type: boolean + if: ctx.json?.show_in_ui != "" + ignore_missing: true + on_failure: + - append: + tag: append_error_message_1698dc44 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.source_account_azure_id + tag: rename_source_account_azure_id + target_field: crowdstrike.alert.source.account_azure_id + ignore_missing: true + - set: + field: cloud.account.id + tag: set_cloud_account_id + copy_from: crowdstrike.alert.source.account_azure_id + ignore_empty_value: true + - rename: + field: json.source_account_domain + tag: rename_source_account_domain + target_field: crowdstrike.alert.source.account_domain + ignore_missing: true + - set: + field: source.user.domain + tag: set_source_user_domain_from_alert_source_account_domain + copy_from: crowdstrike.alert.source.account_domain + ignore_empty_value: true + - append: + field: related.hosts + tag: append_source_user_domain_into_related_hosts + value: '{{{source.user.domain}}}' + allow_duplicates: false + if: ctx.source?.user?.domain != null + - rename: + field: json.source_account_name + tag: rename_source_account_name + target_field: crowdstrike.alert.source.account_name + ignore_missing: true + - set: + field: source.user.name + tag: set_source_user_name_from_alert_source_account_name + copy_from: crowdstrike.alert.source.account_name + ignore_empty_value: true + - append: + field: related.user + tag: append_source_domain_into_related_user + value: '{{{source.user.name}}}' + allow_duplicates: false + if: ctx.source?.user?.name != null + - rename: + field: json.source_account_object_guid + tag: rename_source_account_object_guid + target_field: crowdstrike.alert.source.account_object_guid + ignore_missing: true + - rename: + field: json.source_account_object_sid + tag: rename_source_account_object_sid + target_field: crowdstrike.alert.source.account_object_sid + ignore_missing: true + - rename: + field: json.source_account_sam_account_name + tag: rename_source_account_sam_account_name + target_field: crowdstrike.alert.source.account_sam_account_name + ignore_missing: true + - rename: + field: json.source_account_upn + tag: rename_source_account_upn + target_field: crowdstrike.alert.source.account_upn + ignore_missing: true + - append: + field: related.user + tag: append_crowdstrike_alert_source_account_upn_into_related_user + value: '{{{crowdstrike.alert.source.account_upn}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.source?.account_upn != null + - rename: + field: json.source_endpoint_account_object_guid + tag: rename_source_endpoint_account_object_guid + target_field: crowdstrike.alert.source.endpoint_account_object_guid + ignore_missing: true + - rename: + field: json.source_endpoint_account_object_sid + tag: rename_source_endpoint_account_object_sid + target_field: crowdstrike.alert.source.endpoint_account_object_sid + ignore_missing: true + - convert: + field: json.source_endpoint_address_ip4 + tag: convert_source_endpoint_address_ip4_to_ip + target_field: crowdstrike.alert.source.endpoint_address_ip4 + type: ip + if: ctx.json?.source_endpoint_address_ip4 != '' + ignore_missing: true + on_failure: + - append: + tag: append_error_message_4a238275 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + tag: append_crowdstrike_alert_source_endpoint_address_ip4_into_related_ip + value: '{{{crowdstrike.alert.source.endpoint_address_ip4}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.source?.endpoint_address_ip4 != null + - rename: + field: json.source_endpoint_host_name + tag: rename_source_endpoint_host_name + target_field: crowdstrike.alert.source.endpoint_host_name + ignore_missing: true + - set: + field: source.domain + tag: set_source_domain_from_alert_source_endpoint_host_name + copy_from: crowdstrike.alert.source.endpoint_host_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_source_domain_into_related_hosts + value: '{{{source.domain}}}' + allow_duplicates: false + if: ctx.source?.domain != null + - convert: + field: json.source_endpoint_ip_address + tag: convert_source_endpoint_ip_address_to_ip + target_field: crowdstrike.alert.source.endpoint_ip_address + type: ip + if: ctx.json?.source_endpoint_ip_address != '' + ignore_missing: true + on_failure: + - append: + tag: append_error_message_81555c63 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip_from_alert_source_endpoint_ip_address + copy_from: crowdstrike.alert.source.endpoint_ip_address + ignore_empty_value: true + - append: + field: related.ip + tag: append_source_ip_into_related_ip + value: '{{{source.ip}}}' + allow_duplicates: false + if: ctx.source?.ip != null + - convert: + field: json.source_endpoint_ip_reputation + tag: convert_source_endpoint_ip_reputation_to_long + target_field: crowdstrike.alert.source.endpoint_ip_reputation + type: long + if: ctx.json?.source_endpoint_ip_reputation != '' + ignore_missing: true + on_failure: + - append: + tag: append_error_message_3e386597 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.source_endpoint_sensor_id + tag: rename_source_endpoint_sensor_id + target_field: crowdstrike.alert.source.endpoint_sensor_id + ignore_missing: true + - convert: + field: json.source_ip_isp_classification + tag: convert_source_ip_isp_classification_to_long + target_field: crowdstrike.alert.source.ip_isp_classification + type: long + if: ctx.json?.source_ip_isp_classification != '' + ignore_missing: true + on_failure: + - append: + tag: append_error_message_df45a547 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.source_ip_isp_domain + tag: rename_source_ip_isp_domain + target_field: crowdstrike.alert.source.ip_isp_domain + ignore_missing: true + - rename: + field: json.source_products + tag: rename_source_products + target_field: crowdstrike.alert.source_products + ignore_missing: true + - rename: + field: json.source_vendors + tag: rename_source_vendors + target_field: crowdstrike.alert.source_vendors + ignore_missing: true + - date: + field: json.start_time + tag: date_start_time + target_field: crowdstrike.alert.start_time + formats: + - ISO8601 + if: ctx.json?.start_time != null && ctx.json.start_time != '' + on_failure: + - append: + tag: append_error_message_12c4fb68 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.start + tag: set_event_start_from_alert_start_time + copy_from: crowdstrike.alert.start_time + ignore_empty_value: true + - rename: + field: json.status + tag: rename_status + target_field: crowdstrike.alert.status + ignore_missing: true + - rename: + field: json.tactic + tag: rename_tactic + target_field: crowdstrike.alert.tactic + ignore_missing: true + - append: + field: threat.tactic.name + tag: append_threat_tactic_name + value: '{{{crowdstrike.alert.tactic}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.tactic != null + - rename: + field: json.tactic_id + tag: rename_tactic_id + target_field: crowdstrike.alert.tactic_id + ignore_missing: true + - append: + field: threat.tactic.id + tag: append_threat_tactic_id + value: '{{{crowdstrike.alert.tactic_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.tactic_id != null + - rename: + field: json.tags + tag: rename_tags + target_field: crowdstrike.alert.tags + ignore_missing: true + - foreach: + tag: foreach_crowdstrike_alert_tags_b755d4b9 + field: crowdstrike.alert.tags + if: ctx.crowdstrike?.alert?.tags instanceof List + processor: + append: + field: tags + tag: append_alert_tags_into_tags + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.target_endpoint_host_name + tag: rename_target_endpoint_host_name + target_field: crowdstrike.alert.target.endpoint_host_name + ignore_missing: true + - set: + field: destination.domain + tag: set_destination_domain_from_alert_target_endpoint_host_name + copy_from: crowdstrike.alert.target.endpoint_host_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_destination_domain_into_related_hosts + value: '{{{destination.domain}}}' + allow_duplicates: false + if: ctx.destination?.domain != null + - rename: + field: json.target_domain_controller_host_name + tag: rename_target_domain_controller_host_name + target_field: crowdstrike.alert.target.domain_controller_host_name + ignore_missing: true + - set: + field: destination.user.domain + tag: set_destination_user_domain_from_alert_target_domain_controller_host_name + copy_from: crowdstrike.alert.target.domain_controller_host_name + ignore_empty_value: true + - append: + field: related.hosts + tag: append_destination_user_domain_into_related_hosts + value: '{{{destination.user.domain}}}' + allow_duplicates: false + if: ctx.destination?.user?.domain != null + - rename: + field: json.target_account_name + tag: rename_target_account_name + target_field: crowdstrike.alert.target.account_name + ignore_missing: true + - set: + field: destination.user.name + tag: set_destination_user_name_from_alert_target_account_name + copy_from: crowdstrike.alert.target.account_name + ignore_empty_value: true + - append: + field: related.user + tag: append_destination_user_name_into_related_user + value: '{{{destination.user.name}}}' + allow_duplicates: false + if: ctx.destination?.user?.name != null + - rename: + field: json.target_domain_controller_object_guid + tag: rename_target_domain_controller_object_guid + target_field: crowdstrike.alert.target.domain_controller_object_guid + ignore_missing: true + - rename: + field: json.target_domain_controller_object_sid + tag: rename_target_domain_controller_object_sid + target_field: crowdstrike.alert.target.domain_controller_object_sid + ignore_missing: true + - rename: + field: json.target_endpoint_account_object_guid + tag: rename_target_endpoint_account_object_guid + target_field: crowdstrike.alert.target.endpoint_account_object_guid + ignore_missing: true + - rename: + field: json.target_endpoint_account_object_sid + tag: rename_target_endpoint_account_object_sid + target_field: crowdstrike.alert.target.endpoint_account_object_sid + ignore_missing: true + - rename: + field: json.target_endpoint_sensor_id + tag: rename_target_endpoint_sensor_id + target_field: crowdstrike.alert.target.endpoint_sensor_id + ignore_missing: true + - rename: + field: json.target_service_access_identifier + tag: rename_target_service_access_identifier + target_field: crowdstrike.alert.target.service_access_identifier + ignore_missing: true + - rename: + field: json.technique + tag: rename_technique + target_field: crowdstrike.alert.technique + ignore_missing: true + - append: + field: threat.technique.name + tag: append_threat_technique_name + value: '{{{crowdstrike.alert.technique}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.technique != null + - rename: + field: json.technique_id + tag: rename_technique_id + target_field: crowdstrike.alert.technique_id + ignore_missing: true + - append: + field: threat.technique.id + tag: append_threat_technique_id + value: '{{{crowdstrike.alert.technique_id}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.technique_id != null + - rename: + field: json.mitre_attack + tag: rename_mitre_attack + target_field: crowdstrike.alert.mitre_attack + ignore_missing: true + - foreach: + tag: foreach_crowdstrike_alert_mitre_attack_50e8fec3 + field: crowdstrike.alert.mitre_attack + if: ctx.crowdstrike?.alert?.mitre_attack instanceof List + processor: + append: + field: threat.tactic.name + tag: append_threat_tactic_name + value: '{{{_ingest._value.tactic}}}' + allow_duplicates: false + - foreach: + tag: foreach_crowdstrike_alert_mitre_attack_a75d3917 + field: crowdstrike.alert.mitre_attack + if: ctx.crowdstrike?.alert?.mitre_attack instanceof List + processor: + append: + field: threat.tactic.id + tag: append_threat_tactic_id + value: '{{{_ingest._value.tactic_id}}}' + allow_duplicates: false + - foreach: + tag: foreach_crowdstrike_alert_mitre_attack_c9b5d563 + field: crowdstrike.alert.mitre_attack + if: ctx.crowdstrike?.alert?.mitre_attack instanceof List + processor: + append: + field: threat.technique.name + tag: append_threat_technique_name + value: '{{{_ingest._value.technique}}}' + allow_duplicates: false + - foreach: + tag: foreach_crowdstrike_alert_mitre_attack_6a5df41b + field: crowdstrike.alert.mitre_attack + if: ctx.crowdstrike?.alert?.mitre_attack instanceof List + processor: + append: + field: threat.technique.id + tag: append_threat_technique_id + value: '{{{_ingest._value.technique_id}}}' + allow_duplicates: false + - foreach: + tag: foreach_crowdstrike_alert_mitre_attack_5448da51 + field: crowdstrike.alert.mitre_attack + if: ctx.crowdstrike?.alert?.mitre_attack instanceof List + processor: + convert: + field: _ingest._value.pattern_id + tag: convert_mitre_attack_pattern_id_to_string + type: string + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.pattern_id + tag: remove_ingest_value_pattern_id + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Set threat.framework from threat.* fields using prefix matching and preference order. + lang: painless + tag: script_threat_framework + if: ctx.threat != null + params: + framework_preference: + - MITRE ATT&CK + - CrowdStrike Falcon Detections Framework + framework_cs: 'CrowdStrike Falcon Detections Framework' + framework_ma: 'MITRE ATT&CK' + falcon_tactic_names: + - malware + - exploit + - post-exploit + - machine learning + - custom intelligence + - falcon overwatch + - falcon intel + - ai powered ioa + - insecure security posture + source: | + def tid = ctx.threat.tactic?.id; + def nid = ctx.threat.technique?.id; + def tname = ctx.threat.tactic?.name; + if ((tid == null || tid.isEmpty()) && (nid == null || nid.isEmpty()) && (tname == null || tname.isEmpty())) { + return; + } + Set frameworks = new HashSet(); + // Handling tactics prefixed with "CS" or "TA". + if (tid != null && !tid.isEmpty()) { + for (String t: tid) { + if (t.startsWith("CS")) { + frameworks.add(params.framework_cs); + } + else if (t.startsWith("TA")) { + frameworks.add(params.framework_ma); + } + } + } + // Handling techniques prefixed with "CS". + if (nid != null && !nid.isEmpty()) { + for (String t: nid) { + if (t.startsWith("CS")) { + frameworks.add(params.framework_cs); + } + } + } + // Handling falcon specific tactics. + if (tname != null && !tname.isEmpty()) { + for (String t: tname) { + if (params.falcon_tactic_names.contains(t.toLowerCase())) { + frameworks.add(params.framework_cs); + } + } + } + if (frameworks.isEmpty()) { + return; + } + if (frameworks.size() == 1) { + ctx.threat.framework = frameworks.iterator().next(); + return; + } + + for (def preferred : params.framework_preference) { + if (frameworks.contains(preferred)) { + ctx.threat.framework = preferred; + return; + } + } + + // fallback when new frameworks are added and not yet in preference list + ctx.threat.framework = frameworks.iterator().next(); + on_failure: + - append: + tag: append_error_message_f73582d4 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.template_instance_id + tag: rename_template_instance_id + target_field: crowdstrike.alert.template_instance_id + ignore_missing: true + - date: + field: json.timestamp + tag: date_timestamp + target_field: crowdstrike.alert.timestamp + formats: + - ISO8601 + if: ctx.json?.timestamp != null && ctx.json.timestamp != '' + on_failure: + - append: + tag: append_error_message_2e6fef78 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_alert_timestamp + copy_from: crowdstrike.alert.timestamp + ignore_empty_value: true + - rename: + field: json.tree_id + tag: rename_tree_id + target_field: crowdstrike.alert.tree_id + ignore_missing: true + - rename: + field: json.tree_root + tag: rename_tree_root + target_field: crowdstrike.alert.tree_root + ignore_missing: true + - rename: + field: json.triggering_process_graph_id + tag: rename_triggering_process_graph_id + target_field: crowdstrike.alert.triggering_process_graph_id + ignore_missing: true + - rename: + field: json.type + tag: rename_type + target_field: crowdstrike.alert.type + ignore_missing: true + - rename: + field: json.rule_group_id + tag: rename_rule_group_id + target_field: crowdstrike.alert.rule_group_id + ignore_missing: true + - rename: + field: json.rule_group_name + tag: rename_rule_group_name + target_field: crowdstrike.alert.rule_group_name + ignore_missing: true + - rename: + field: json.rule_instance_created_by + tag: rename_rule_instance_created_by + target_field: crowdstrike.alert.rule_instance_created_by + ignore_missing: true + - rename: + field: json.rule_instance_id + tag: rename_rule_instance_id + target_field: crowdstrike.alert.rule_instance_id + ignore_missing: true + - rename: + field: json.rule_instance_name + tag: rename_rule_instance_name + target_field: crowdstrike.alert.rule_instance_name + ignore_missing: true + - rename: + field: json.rule_instance_version + tag: rename_rule_instance_version + target_field: crowdstrike.alert.rule_instance_version + ignore_missing: true + - rename: + field: json.overwatch_note + tag: rename_overwatch_note + target_field: crowdstrike.alert.overwatch_note + ignore_missing: true + - date: + field: json.overwatch_note_timestamp + tag: date_overwatch_note_timestamp + target_field: crowdstrike.alert.overwatch_note_timestamp + formats: + - ISO8601 + if: ctx.json?.overwatch_note_timestamp != null && ctx.json.updated_timestamp != '' + ignore_failure: true + - date: + field: json.updated_timestamp + tag: date_updated_timestamp + target_field: crowdstrike.alert.updated_timestamp + formats: + - ISO8601 + if: ctx.json?.updated_timestamp != null && ctx.json.updated_timestamp != '' + on_failure: + - append: + tag: append_error_message_d375f9f0 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.user_id + tag: rename_user_id + target_field: crowdstrike.alert.user_id + ignore_missing: true + - set: + field: user.id + tag: set_user_id_from_alert_user_id + copy_from: crowdstrike.alert.user_id + ignore_empty_value: true + - rename: + field: json.user_name + tag: rename_user_name + target_field: crowdstrike.alert.user_name + ignore_missing: true + - set: + field: user.name + tag: set_user_name_from_alert_user_name + copy_from: crowdstrike.alert.user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_user_id_into_related_user + value: '{{{user.id}}}' + allow_duplicates: false + if: ctx.user?.id != null + - append: + field: related.user + tag: append_user_name_into_related_user + value: '{{{user.name}}}' + allow_duplicates: false + if: ctx.user?.name != null + - rename: + field: json.user_principal + tag: rename_user_principal + target_field: crowdstrike.alert.user_principal + ignore_missing: true + - append: + field: related.user + tag: append_crowdstrike_alert_user_principal_into_related_user + value: '{{{crowdstrike.alert.user_principal}}}' + allow_duplicates: false + if: ctx.crowdstrike?.alert?.user_principal != null + + - grok: + tag: grok_crowdstrike_alert_name_590f0399 + field: crowdstrike.alert.name + patterns: + - "%{NOTSPACE:_username_from_name} on %{NOTSPACE:_hostname_from_name}" + ignore_missing: true + ignore_failure: true + - set: + tag: set_user_name_10fa09f0 + field: user.name + copy_from: _username_from_name + if: ctx.user?.name == null || ctx.user.name == '' + ignore_empty_value: true + - append: + tag: append_related_user_6909493b + field: related.user + value: '{{{_username_from_name}}}' + allow_duplicates: false + if: ctx._username_from_name != null && ctx._username_from_name != '' + - set: + tag: set_host_name_bfa41cba + field: host.name + copy_from: _hostname_from_name + if: ctx.host?.name == null || ctx.host.name == '' + ignore_empty_value: true + - append: + tag: append_related_hosts_841139de + field: related.hosts + value: '{{{_hostname_from_name}}}' + allow_duplicates: false + if: ctx._hostname_from_name != null && ctx._hostname_from_name != '' + - remove: + tag: remove_20d23887 + field: + - _username_from_name + - _hostname_from_name + ignore_missing: true + + - fingerprint: + tag: fingerprint_b7759f38 + fields: + - event.id + - crowdstrike.alert.cid + - crowdstrike.alert.indicator_id + - crowdstrike.alert.updated_timestamp + target_field: _id + ignore_missing: true + - remove: + field: + - crowdstrike.alert.agent_id + - crowdstrike.alert.command_line + - crowdstrike.alert.description + - crowdstrike.alert.device.device_id + - crowdstrike.alert.device.external_ip + - crowdstrike.alert.device.hostinfo.domain + - crowdstrike.alert.device.hostname + - crowdstrike.alert.device.local_ip + - crowdstrike.alert.device.mac_address + - crowdstrike.alert.device.os_version + - crowdstrike.alert.device.platform_name + - crowdstrike.alert.device.system_manufacturer + - crowdstrike.alert.device.system_product_name + - crowdstrike.alert.device.tags + - crowdstrike.alert.end_time + - crowdstrike.alert.filename + - crowdstrike.alert.filepath + - crowdstrike.alert.host_name + - crowdstrike.alert.host_type + - crowdstrike.alert.id + - crowdstrike.alert.idp_policy_rule.id + - crowdstrike.alert.idp_policy_rule.name + - crowdstrike.alert.image_file_name + - crowdstrike.alert.location_country_code + - crowdstrike.alert.md5 + - crowdstrike.alert.operating_system + - crowdstrike.alert.os_name + - crowdstrike.alert.parent_details.cmdline + - crowdstrike.alert.parent_details.filename + - crowdstrike.alert.parent_details.filepath + - crowdstrike.alert.parent_details.md5 + - crowdstrike.alert.parent_details.sha256 + - crowdstrike.alert.parent_details.user_id + - crowdstrike.alert.parent_details.user_name + - crowdstrike.alert.parent_process_id + - crowdstrike.alert.process_end_time + - crowdstrike.alert.process_id + - crowdstrike.alert.process_start_time + - crowdstrike.alert.severity + - crowdstrike.alert.sha1 + - crowdstrike.alert.sha256 + - crowdstrike.alert.source.account_azure_id + - crowdstrike.alert.source.account_domain + - crowdstrike.alert.source.account_name + - crowdstrike.alert.source.endpoint_host_name + - crowdstrike.alert.source.endpoint_ip_address + - crowdstrike.alert.start_time + - crowdstrike.alert.tactic + - crowdstrike.alert.tags + - crowdstrike.alert.target.account_name + - crowdstrike.alert.target.domain_controller_host_name + - crowdstrike.alert.target.endpoint_host_name + - crowdstrike.alert.technique + - crowdstrike.alert.timestamp + - crowdstrike.alert.user_id + - crowdstrike.alert.user_name + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + lang: painless + description: Drops null/empty values recursively. + tag: painless_remove_null + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind_processor + value: pipeline_error + if: ctx.error?.message != null + - append: + tag: append_tags_9fe66b2c + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/base-fields.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/base-fields.yml new file mode 100644 index 0000000000..a93aca0ee9 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: crowdstrike +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: crowdstrike.alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/beats.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/beats.yml new file mode 100644 index 0000000000..4084f1dc7f --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/ecs.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/ecs.yml new file mode 100644 index 0000000000..bdc73a9cb9 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/ecs.yml @@ -0,0 +1,9 @@ +# Remove this file when kibana.version satisfied ^8.14. +- name: threat.tactic.id + external: ecs +- name: threat.technique.id + external: ecs +- name: threat.framework + external: ecs +- name: tags + external: ecs diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/fields.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/fields.yml new file mode 100644 index 0000000000..d499a73dda --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/fields/fields.yml @@ -0,0 +1,633 @@ +- name: crowdstrike + type: group + fields: + - name: alert + type: group + fields: + - name: active_directory_authentication_method + type: long + - name: activity + type: group + fields: + - name: browser + type: keyword + - name: device + type: keyword + - name: id + type: keyword + - name: os + type: keyword + - name: agent_id + type: keyword + - name: agent_scan_id + type: keyword + - name: aggregate_id + type: keyword + - name: alert_attributes + type: long + - name: alleged_filetype + type: keyword + - name: assigned_to + type: group + fields: + - name: name + type: keyword + - name: uid + type: keyword + - name: uuid + type: keyword + - name: associated_files + type: group + fields: + - name: filepath + type: keyword + - name: sha256 + type: keyword + - name: child_process_ids + type: keyword + - name: cid + type: keyword + - name: cloud_indicator + type: boolean + - name: cmdline + type: keyword + - name: command_line + type: keyword + - name: comment + type: keyword + - name: composite_id + type: keyword + - name: confidence + type: long + - name: context_timestamp + type: date + - name: control_graph_id + type: keyword + - name: crawl_edge_ids + type: group + fields: + - name: Sensor + type: keyword + - name: crawl_vertex_ids + type: group + fields: + - name: Sensor + type: keyword + - name: crawled_timestamp + type: date + - name: created_timestamp + type: date + - name: data_domains + type: keyword + - name: description + type: keyword + - name: detect_type + type: keyword + - name: device + type: group + fields: + - name: agent_load_flags + type: long + - name: agent_local_time + type: date + - name: agent_version + type: keyword + - name: bios_manufacturer + type: keyword + - name: bios_version + type: keyword + - name: cid + type: keyword + - name: config_id_base + type: keyword + - name: config_id_build + type: keyword + - name: config_id_platform + type: long + - name: external_ip + type: ip + - name: first_seen + type: date + - name: groups + type: keyword + - name: hostinfo + type: group + fields: + - name: active_directory_dn_display + type: keyword + - name: domain + type: keyword + - name: hostname + type: keyword + - name: id + type: keyword + - name: last_seen + type: date + - name: local_ip + type: ip + - name: mac_address + type: keyword + - name: machine_domain + type: keyword + - name: major_version + type: keyword + - name: minor_version + type: keyword + - name: modified_timestamp + type: date + - name: os_version + type: keyword + - name: ou + type: keyword + - name: platform_id + type: keyword + - name: platform_name + type: keyword + - name: pod_labels + type: keyword + - name: product_type + type: keyword + - name: product_type_desc + type: keyword + - name: site_name + type: keyword + - name: status + type: keyword + - name: system_manufacturer + type: keyword + - name: system_product_name + type: keyword + - name: tags + type: keyword + - name: display_name + type: keyword + - name: documents_accessed + type: group + fields: + - name: filename + type: keyword + - name: filepath + type: keyword + - name: timestamp + type: date + - name: email_sent + type: boolean + - name: end_time + type: date + - name: event_id + type: keyword + - name: executables_written + type: group + fields: + - name: filename + type: keyword + - name: filepath + type: keyword + - name: timestamp + type: date + - name: falcon_host_link + type: keyword + - name: file_writes + type: group + fields: + - name: name + type: keyword + - name: sha256 + type: keyword + - name: filename + type: keyword + - name: filepath + type: keyword + - name: files_accessed + type: group + fields: + - name: filename + type: keyword + - name: filepath + type: keyword + - name: timestamp + type: date + - name: files_written + type: group + fields: + - name: filename + type: keyword + - name: filepath + type: keyword + - name: timestamp + type: date + - name: global_prevalence + type: keyword + - name: grandparent_details + type: group + fields: + - name: cmdline + type: keyword + - name: filename + type: keyword + - name: filepath + type: keyword + - name: local_process_id + type: keyword + - name: md5 + type: keyword + - name: process_graph_id + type: keyword + - name: process_id + type: keyword + - name: sha256 + type: keyword + - name: timestamp + type: date + - name: user_graph_id + type: keyword + - name: user_id + type: keyword + - name: user_name + type: keyword + - name: has_script_or_module_ioc + type: boolean + - name: host_name + type: keyword + - name: host_type + type: keyword + - name: id + type: keyword + - name: idp_policy + type: group + fields: + - name: enforced_externally + type: long + - name: mfa_factor_type + type: long + - name: mfa_provider + type: long + - name: rule_action + type: long + - name: rule_trigger + type: long + - name: rule_id + type: keyword + - name: rule_name + type: keyword + - name: image_file_name + type: keyword + - name: incident + type: group + fields: + - name: created + type: date + - name: end + type: date + - name: id + type: keyword + - name: score + type: double + - name: start + type: date + - name: indicator_id + type: keyword + - name: ioc_context + type: group + fields: + - name: cmdline + type: keyword + - name: ioc_description + type: keyword + - name: ioc_source + type: keyword + - name: ioc_type + type: keyword + - name: ioc_value + type: keyword + - name: md5 + type: keyword + - name: sha256 + type: keyword + - name: type + type: keyword + - name: ioc_description + type: keyword + - name: ioc_source + type: keyword + - name: ioc_type + type: keyword + - name: ioc_value + type: keyword + - name: ioc_values + type: keyword + - name: is_synthetic_quarantine_disposition + type: boolean + - name: ldap_search_query_attack + type: long + - name: local_prevalence + type: keyword + - name: local_process_id + type: keyword + - name: location_country_code + type: keyword + - name: location_latitude_as_int + type: long + - name: location_longitude_as_int + type: long + - name: logon_domain + type: keyword + - name: md5 + type: keyword + - name: mitre_attack + type: group + fields: + - name: pattern_id + type: keyword + - name: tactic + type: keyword + - name: tactic_id + type: keyword + - name: technique + type: keyword + - name: technique_id + type: keyword + - name: model_anomaly_indicators + type: keyword + - name: name + type: keyword + - name: network_accesses + type: group + fields: + - name: access_timestamp + type: date + - name: access_type + type: long + - name: connection_direction + type: keyword + - name: isIPV6 + type: boolean + - name: local_address + type: ip + - name: local_port + type: long + - name: protocol + type: keyword + - name: remote_address + type: ip + - name: remote_port + type: long + - name: objective + type: keyword + - name: operating_system + type: keyword + - name: os_name + type: keyword + - name: overwatch_note + type: keyword + - name: overwatch_note_timestamp + type: date + - name: parent_details + type: group + fields: + - name: cmdline + type: keyword + - name: filename + type: keyword + - name: filepath + type: keyword + - name: local_process_id + type: keyword + - name: md5 + type: keyword + - name: process_graph_id + type: keyword + - name: process_id + type: keyword + - name: sha256 + type: keyword + - name: timestamp + type: date + - name: user_graph_id + type: keyword + - name: user_id + type: keyword + - name: user_name + type: keyword + - name: parent_process_id + type: keyword + - name: pattern_disposition + type: long + - name: pattern_disposition_description + type: keyword + - name: pattern_disposition_details + type: group + fields: + - name: blocking_unsupported_or_disabled + type: boolean + - name: bootup_safeguard_enabled + type: boolean + - name: containment_file_system + type: boolean + - name: critical_process_disabled + type: boolean + - name: detect + type: boolean + - name: fs_operation_blocked + type: boolean + - name: handle_operation_downgraded + type: boolean + - name: inddet_mask + type: boolean + - name: indicator + type: boolean + - name: kill_action_failed + type: boolean + - name: kill_parent + type: boolean + - name: kill_process + type: boolean + - name: kill_subprocess + type: boolean + - name: mfa_required + type: boolean + - name: operation_blocked + type: boolean + - name: policy_disabled + type: boolean + - name: prevention_provisioning_enabled + type: boolean + - name: process_blocked + type: boolean + - name: quarantine_file + type: boolean + - name: quarantine_machine + type: boolean + - name: registry_operation_blocked + type: boolean + - name: response_action_already_applied + type: boolean + - name: response_action_failed + type: boolean + - name: response_action_triggered + type: boolean + - name: rooting + type: boolean + - name: sensor_only + type: boolean + - name: suspend_parent + type: boolean + - name: suspend_process + type: boolean + - name: pattern_id + type: keyword + - name: platform + type: keyword + - name: poly_id + type: keyword + - name: prevented + type: boolean + - name: process_end_time + type: date + - name: process_id + type: keyword + - name: process_start_time + type: date + - name: product + type: keyword + - name: protocol_anomaly_classification + type: long + - name: quarantined + type: boolean + - name: quarantined_files + type: group + fields: + - name: filename + type: keyword + - name: id + type: keyword + - name: sha256 + type: keyword + - name: state + type: keyword + - name: rule_group_id + type: keyword + - name: rule_group_name + type: keyword + - name: rule_instance_created_by + type: keyword + - name: rule_instance_id + type: keyword + - name: rule_instance_name + type: keyword + - name: rule_instance_version + type: keyword + - name: scan_id + type: keyword + - name: scenario + type: keyword + - name: seconds_to_resolved + type: long + - name: seconds_to_triaged + type: long + - name: severity + type: long + - name: severity_name + type: keyword + - name: sha1 + type: keyword + - name: sha256 + type: keyword + - name: show_in_ui + type: boolean + - name: source + type: group + fields: + - name: account_azure_id + type: keyword + - name: account_domain + type: keyword + - name: account_name + type: keyword + - name: account_object_guid + type: keyword + - name: account_object_sid + type: keyword + - name: account_sam_account_name + type: keyword + - name: account_upn + type: keyword + - name: endpoint_account_object_guid + type: keyword + - name: endpoint_account_object_sid + type: keyword + - name: endpoint_address_ip4 + type: ip + - name: endpoint_host_name + type: keyword + - name: endpoint_ip_address + type: ip + - name: endpoint_ip_reputation + type: long + - name: endpoint_sensor_id + type: keyword + - name: ip_isp_classification + type: long + - name: ip_isp_domain + type: keyword + - name: source_products + type: keyword + - name: source_vendors + type: keyword + - name: start_time + type: date + - name: status + type: keyword + - name: tactic + type: keyword + - name: tactic_id + type: keyword + - name: tags + type: keyword + - name: target + type: group + fields: + - name: account_name + type: keyword + - name: domain_controller_host_name + type: keyword + - name: domain_controller_object_guid + type: keyword + - name: domain_controller_object_sid + type: keyword + - name: endpoint_account_object_guid + type: keyword + - name: endpoint_account_object_sid + type: keyword + - name: endpoint_host_name + type: keyword + - name: endpoint_sensor_id + type: keyword + - name: service_access_identifier + type: keyword + - name: technique + type: keyword + - name: technique_id + type: keyword + - name: template_instance_id + type: keyword + - name: timestamp + type: date + - name: tree_id + type: keyword + - name: tree_root + type: keyword + - name: triggering_process_graph_id + type: keyword + - name: type + type: keyword + - name: updated_timestamp + type: date + - name: user_id + type: keyword + - name: user_name + type: keyword + - name: user_principal + type: keyword + - name: worker_node_name + type: keyword diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/manifest.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/manifest.yml new file mode 100644 index 0000000000..4e3c744edc --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/manifest.yml @@ -0,0 +1,94 @@ +title: Collect alerts from CrowdStrike. +type: logs +streams: + - input: cel + title: Alerts + description: Collect unified alerts from CrowdStrike Falcon. + enabled: false + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Alert logs from CrowdStrike. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the CrowdStrike API. By default, differential data is pulled once per day. Supported units for this parameter are h/m/s. + default: 24h + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the CrowdStrike API. It must be between 1 - 1000. + default: 1000 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: query + type: text + title: FQL Query + description: This is an additional FQL query that can be included in requests to the API. You should not include any reference to the `timestamp` property. See the [FalconPy documentation](https://www.falconpy.io/Usage/Falcon-Query-Language.html) for details. + multi: false + required: false + show_user: false + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - crowdstrike-alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve crowdstrike.alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/sample_event.json b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/sample_event.json new file mode 100644 index 0000000000..680f31dc1f --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/alert/sample_event.json @@ -0,0 +1,364 @@ +{ + "@timestamp": "2023-11-03T18:00:22.328Z", + "agent": { + "ephemeral_id": "efb69ba7-0736-4cf7-a39f-70f3183e7530", + "id": "d541c008-3558-403d-9392-4faa6d42fcb4", + "name": "elastic-agent-43429", + "type": "filebeat", + "version": "8.18.0" + }, + "crowdstrike": { + "alert": { + "agent_id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "aggregate_id": "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "alleged_filetype": "exe", + "cid": "92012896127c4a948236ba7601b886b0", + "cloud_indicator": false, + "cmdline": "\"C:\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\"", + "composite_id": "92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "confidence": 10, + "context_timestamp": "2023-11-03T18:00:31.000Z", + "control_graph_id": "ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778", + "crawl_edge_ids": { + "Sensor": [ + "KZcZ=__;K&cmqQ]Z=W,QK4W.9(rBfs\\gfmjTblqI^F-_oNnAWQ&-o0:dR/>>2JIVMD36[+=kiQDRm.bB?;d\"V0JaQlaltC59Iq6nM?6>ZAs+LbOJ9p9A;9'WV9^H3XEMs8N", + "KZcZA__;?\"cmott@m_k)MSZ^+C?.cg92t[f!>*b9WLY@H!V0N,BJsNSTD:?/+fY';ea%iM\"__\"59K'R?_='rK/'hA\"r+L5i-*Ut5PI!!*'!", + "N6CUF__;K!d$:[C93.?=/5(5KnM]!L#UbnSY5HOHc#[6A&FE;(naXB4h/OG\"%MDAR=fo41Z]rXc\"J-\\&&V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr", + "N6CUF__;K!d$:\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\"X'\\AtNML2_C__7ic6,8Dc[F<0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn6I##&$^81(P+hN*-#rf/cUs)Wb\"<_/?I'[##WMh'H[Rcl+!!<<'", + "N6L[G__;K!d\"qhT7k?[D\"Bk:5s%+=>#DM0j$_44ZjO9q*d!YLuHhkq!3>3tpi>OPYZp9]5f1#/AlRZL06/I6cl\"d.&=To@9kS!prs8N" + ] + }, + "crawl_vertex_ids": { + "Sensor": [ + "aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778", + "ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993", + "quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425" + ] + }, + "crawled_timestamp": "2023-11-03T19:00:23.985Z", + "created_timestamp": "2023-11-03T18:01:23.995Z", + "data_domains": [ + "Endpoint" + ], + "description": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "device": { + "agent_load_flags": 0, + "agent_local_time": "2023-10-12T03:45:57.753Z", + "agent_version": "7.04.17605.0", + "bios_manufacturer": "ABC", + "bios_version": "F8CN42WW(V2.05)", + "cid": "92012896127c4a948236ba7601b886b0", + "config_id_base": "65994763", + "config_id_build": "17605", + "config_id_platform": 3, + "external_ip": "81.2.69.142", + "first_seen": "2023-04-07T09:36:36.000Z", + "groups": [ + "18704e21288243b58e4c76266d38caaf" + ], + "hostinfo": { + "active_directory_dn_display": [ + "WinComputers", + "WinComputers\\ABC" + ], + "domain": "ABC.LOCAL" + }, + "hostname": "ABC709-1175", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "last_seen": "2023-11-03T17:51:42.000Z", + "local_ip": "81.2.69.142", + "mac_address": "AB-21-48-61-05-B2", + "machine_domain": "ABC.LOCAL", + "major_version": "10", + "minor_version": "0", + "modified_timestamp": "2023-11-03T17:53:43.000Z", + "os_version": "Windows11", + "ou": [ + "ABC", + "WinComputers" + ], + "platform_id": "0", + "platform_name": "Windows", + "product_type": "1", + "product_type_desc": "Workstation", + "site_name": "Default-First-Site-Name", + "status": "normal", + "system_manufacturer": "LENOVO", + "system_product_name": "20VE" + }, + "falcon_host_link": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "filename": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "filepath": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "grandparent_details": { + "cmdline": "C:\\Windows\\system32\\userinit.exe", + "filename": "userinit.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\System32\\userinit.exe", + "local_process_id": "4328", + "md5": "b07f77fd3f9828b2c9d61f8a36609741", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135", + "process_id": "392734873135", + "sha256": "caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33", + "timestamp": "2023-10-30T16:49:19.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "yuvraj.mahajan" + }, + "has_script_or_module_ioc": true, + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "indicator_id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ioc_context": [ + { + "ioc_description": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "ioc_source": "library_load", + "ioc_type": "hash_sha256", + "ioc_value": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "type": "module" + } + ], + "ioc_values": [ + "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd" + ], + "is_synthetic_quarantine_disposition": true, + "local_process_id": "17076", + "logon_domain": "ABSYS", + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "name": "PrewittPupAdwareSensorDetect-Lowest", + "objective": "FalconDetectionMethod", + "parent_details": { + "cmdline": "C:\\WINDOWS\\Explorer.EXE", + "filename": "explorer.exe", + "filepath": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "local_process_id": "1040", + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "process_graph_id": "pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876", + "process_id": "392736520876", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "timestamp": "2023-11-03T18:00:32.000Z", + "user_graph_id": "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + }, + "parent_process_id": "392736520876", + "pattern_disposition": 2176, + "pattern_disposition_description": "Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.", + "pattern_disposition_details": { + "blocking_unsupported_or_disabled": false, + "bootup_safeguard_enabled": false, + "critical_process_disabled": false, + "detect": false, + "fs_operation_blocked": false, + "handle_operation_downgraded": false, + "inddet_mask": false, + "indicator": false, + "kill_action_failed": false, + "kill_parent": false, + "kill_process": false, + "kill_subprocess": false, + "operation_blocked": false, + "policy_disabled": false, + "process_blocked": true, + "quarantine_file": true, + "quarantine_machine": false, + "registry_operation_blocked": false, + "rooting": false, + "sensor_only": false, + "suspend_parent": false, + "suspend_process": false + }, + "pattern_id": "5761", + "platform": "Windows", + "poly_id": "AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==", + "process_end_time": "2023-11-03T18:00:21.000Z", + "process_id": "399748687993", + "process_start_time": "2023-11-03T18:00:13.000Z", + "product": "epp", + "quarantined_files": [ + { + "filename": "\\Device\\Volume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "state": "quarantined" + } + ], + "scenario": "NGAV", + "severity": 30, + "severity_name": "low", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "show_in_ui": true, + "source_products": [ + "FalconInsight" + ], + "source_vendors": [ + "CrowdStrike" + ], + "status": "new", + "tactic": "MachineLearning", + "tactic_id": "CSTA0004", + "technique": "Adware/PUP", + "technique_id": "CST0000", + "timestamp": "2023-11-03T18:00:22.328Z", + "tree_id": "1931778", + "tree_root": "38687993", + "triggering_process_graph_id": "pid:2ce4124ad4adc8c1c54dbfec4b:399748687993", + "type": "ldt", + "updated_timestamp": "2023-11-03T19:00:23.985Z", + "user_id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "user_name": "mohit.jha" + } + }, + "data_stream": { + "dataset": "crowdstrike.alert", + "namespace": "96581", + "type": "logs" + }, + "device": { + "id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "manufacturer": "LENOVO", + "model": { + "name": "20VE" + } + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "d541c008-3558-403d-9392-4faa6d42fcb4", + "snapshot": true, + "version": "8.18.0" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "process" + ], + "dataset": "crowdstrike.alert", + "id": "ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600", + "ingested": "2025-10-09T10:20:29Z", + "kind": "alert", + "original": "{\"agent_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"aggregate_id\":\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"alleged_filetype\":\"exe\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"cloud_indicator\":\"false\",\"cmdline\":\"\\\"C:\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\\\"\",\"composite_id\":\"92012896127c4a8236ba7601b886b0:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"confidence\":10,\"context_timestamp\":\"2023-11-03T18:00:31Z\",\"control_graph_id\":\"ctg:2ce4127b334ad4adc8c1c54dbfec4b:163208931778\",\"crawl_edge_ids\":{\"Sensor\":[\"KZcZ=__;K\\u0026cmqQ]Z=W,QK4W.9(rBfs\\\\gfmjTblqI^F-_oNnAWQ\\u0026-o0:dR/\\u003e\\u003e2J\\u003cd2T/ji6R\\u0026RIHe-tZSkP*q?HW;:leq.:kk)\\u003eIVMD36[+=kiQDRm.bB?;d\\\"V0JaQlaltC59Iq6nM?6\\u003eZAs+LbOJ9p9A;9'WV9^H3XEMs8N\",\"KZcZA__;?\\\"cmott@m_k)MSZ^+C?.cg\\u003cLga#0@71X07*LY2teE56*16pL[=!bjF7g@0jOQE'jT6RX_F@sr#RP-U/d[#nm9A,A,W%cl/T@\\u003cWalY1K_h%QDBBF;_e7S!!*'!\",\"KZd)iK2;s\\\\ckQl_P*d=Mo?^a7/JKc\\\\*L48169!7I5;0\\\\\\u003cH^hNG\\\"ZQ3#U3\\\"eo\\u003c\\u003e92t[f!\\u003e*b9WLY@H!V0N,BJsNSTD:?/+fY';e\\u003cOHh9AmlT?5\\u003cgGqK:*L99kat+P)eZ$HR\\\"Ql@Q!!!$!rr\",\"N6=Ks_B9Bncmur)?\\\\[fV$k/N5;:6@aB$P;R$2XAaPJ?E\\u003cG5,UfaP')8#2AY4ff+q?T?b0/RBi-YAeGmb\\u003c6Bqp[DZh#I(jObGkjJJaMf\\\\:#mb;BM\\\\L[g!\\\\F*M!!*'!\",\"N6B%O'=_7d#%u\\u0026d[+LTNDs\\u003c3307?8n=GrFI:4YYGCL,cIt-Tuj!\\u0026\\u003c6:3RbCuNjL#gW\\u0026=)E4^/'fp*.bFX@p_$,R6.\\\"=lV*T*5Vfc.:nkd$+YD:DJ,Ls0[sArC')K%YTc$:@kUQW5s8N\",\"N6B%s!\\\\k)ed$F6\\u003ea%iM\\\"\\u003cFTSe/eH8M:\\u003c9gf;$$.b??kpC*99aX!Lq:g6:Q3@Ga4Zrb@MaMa]L'YAt$IFBu])\\\"H^sF$r7gDPf6\\u0026CHpVKO3\\u003cDgK9,Y/e@V\\\"b\\u0026m!\\u003c\\u003c'\",\"N6CU\\u0026%VT\\\"d$=67=h\\\\I)/BJH:8-lS!.%\\\\-!$1@bAhtVO?q4]9'9'haE4N0*-0Uh'-'f',YW3]T=jL3D#N=fJi]Pp-bWej+R9q[%h[p]p26NK8q3b50k9G:.\\u0026eM\\u003cQer\\u003e__\\\"59K'R?_='rK/'hA\\\"r+L5i-*Ut5PI!!*'!\",\"N6CUF__;K!d$:[C93.?=/5(5KnM]!L#UbnSY5HOHc#[6A\\u0026FE;(naXB4h/OG\\\"%MDAR=fo41Z]rXc\\\"J-\\\\\\u0026\\u0026V8UW.?I6V*G+,))Ztu_IuCMV#ZJ:QDJ_EjQmjiX#HENY'WD0rVAV$Gl6_+0e:2$8D)):.LUs+8-S$L!!!$!rr\",\"N6CUF__;K!d$:\\\\N43JV0AO56@6D0$!na(s)d.dQ'iI1*uiKt#j?r\\\"X'\\\\AtNML2_C__7ic6,8Dc[F\\u003c0NTUGtl%HD#?/Y)t8!1X.;G!*FQ9GP-ukQn6I##\\u0026$^81(P+hN*-#rf/cUs)Wb\\\"\\u003c_/?I'[##WMh'H[Rcl+!!\\u003c\\u003c'\",\"N6L[G__;K!d\\\"qhT7k?[D\\\"Bk:5s%+=\\u003e#DM0j$_\\u003cr/JG0TCEQ!Ug(be3)\\u0026R2JnX+RSqorgC-NCjf6XATBWX(5\\u003cL1J1DV\\u003e44ZjO9q*d!YLuHhkq!3\\u003e3tpi\\u003eOPYZp9]5f1#/AlRZL06/I6cl\\\"d.\\u0026=To@9kS!prs8N\"]},\"crawl_vertex_ids\":{\"Sensor\":[\"aggind:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ctg:2ce412d17b334ad4adc8c1c54dbfec4b:163208931778\",\"ind:2ce412d17b34ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"mod:2ce412d17b4ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"mod:2ce412d17b334ad4adc8c1c54dbfec4b:caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"pid:2ce412d17b33d4adc8c1c54dbfec4b:392734873135\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993\",\"quf:2ce412d17b334ad4adc8c1c54dbfec4b:b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\"]},\"crawled_timestamp\":\"2023-11-03T19:00:23.985020992Z\",\"created_timestamp\":\"2023-11-03T18:01:23.995794943Z\",\"data_domains\":[\"Endpoint\"],\"description\":\"ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.\",\"device\":{\"agent_load_flags\":\"0\",\"agent_local_time\":\"2023-10-12T03:45:57.753Z\",\"agent_version\":\"7.04.17605.0\",\"bios_manufacturer\":\"ABC\",\"bios_version\":\"F8CN42WW(V2.05)\",\"cid\":\"92012896127c4a948236ba7601b886b0\",\"config_id_base\":\"65994763\",\"config_id_build\":\"17605\",\"config_id_platform\":\"3\",\"device_id\":\"2ce412d17b334ad4adc8c1c54dbfec4b\",\"external_ip\":\"81.2.69.142\",\"first_seen\":\"2023-04-07T09:36:36Z\",\"groups\":[\"18704e21288243b58e4c76266d38caaf\"],\"hostinfo\":{\"active_directory_dn_display\":[\"WinComputers\",\"WinComputers\\\\ABC\"],\"domain\":\"ABC.LOCAL\"},\"hostname\":\"ABC709-1175\",\"last_seen\":\"2023-11-03T17:51:42Z\",\"local_ip\":\"81.2.69.142\",\"mac_address\":\"ab-21-48-61-05-b2\",\"machine_domain\":\"ABC.LOCAL\",\"major_version\":\"10\",\"minor_version\":\"0\",\"modified_timestamp\":\"2023-11-03T17:53:43Z\",\"os_version\":\"Windows11\",\"ou\":[\"ABC\",\"WinComputers\"],\"platform_id\":\"0\",\"platform_name\":\"Windows\",\"pod_labels\":null,\"product_type\":\"1\",\"product_type_desc\":\"Workstation\",\"site_name\":\"Default-First-Site-Name\",\"status\":\"normal\",\"system_manufacturer\":\"LENOVO\",\"system_product_name\":\"20VE\"},\"falcon_host_link\":\"https://falcon.us-2.crowdstrike.com/activity-v2/detections/dhjffg:ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"filename\":\"openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"grandparent_details\":{\"cmdline\":\"C:\\\\Windows\\\\system32\\\\userinit.exe\",\"filename\":\"userinit.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\userinit.exe\",\"local_process_id\":\"4328\",\"md5\":\"b07f77fd3f9828b2c9d61f8a36609741\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392734873135\",\"process_id\":\"392734873135\",\"sha256\":\"caef4ae19056eeb122a0540508fa8984cea960173ada0dc648cb846d6ef5dd33\",\"timestamp\":\"2023-10-30T16:49:19Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"yuvraj.mahajan\"},\"has_script_or_module_ioc\":\"true\",\"id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"indicator_id\":\"ind:2ce412d17b334ad4adc8c1c54dbfec4b:399748687993-5761-42627600\",\"ioc_context\":[{\"ioc_description\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"ioc_source\":\"library_load\",\"ioc_type\":\"hash_sha256\",\"ioc_value\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"type\":\"module\"}],\"ioc_values\":[],\"is_synthetic_quarantine_disposition\":true,\"local_process_id\":\"17076\",\"logon_domain\":\"ABSYS\",\"md5\":\"cdf9cfebb400ce89d5b6032bfcdc693b\",\"name\":\"PrewittPupAdwareSensorDetect-Lowest\",\"objective\":\"FalconDetectionMethod\",\"parent_details\":{\"cmdline\":\"C:\\\\WINDOWS\\\\Explorer.EXE\",\"filename\":\"explorer.exe\",\"filepath\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\explorer.exe\",\"local_process_id\":\"1040\",\"md5\":\"8cc3fcdd7d52d2d5221303c213e044ae\",\"process_graph_id\":\"pid:2ce412d17b334ad4adc8c1c54dbfec4b:392736520876\",\"process_id\":\"392736520876\",\"sha256\":\"0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4\",\"timestamp\":\"2023-11-03T18:00:32Z\",\"user_graph_id\":\"uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"},\"parent_process_id\":\"392736520876\",\"pattern_disposition\":2176,\"pattern_disposition_description\":\"Prevention/Quarantine,processwasblockedfromexecutionandquarantinewasattempted.\",\"pattern_disposition_details\":{\"blocking_unsupported_or_disabled\":false,\"bootup_safeguard_enabled\":false,\"critical_process_disabled\":false,\"detect\":false,\"fs_operation_blocked\":false,\"handle_operation_downgraded\":false,\"inddet_mask\":false,\"indicator\":false,\"kill_action_failed\":false,\"kill_parent\":false,\"kill_process\":false,\"kill_subprocess\":false,\"operation_blocked\":false,\"policy_disabled\":false,\"process_blocked\":true,\"quarantine_file\":true,\"quarantine_machine\":false,\"registry_operation_blocked\":false,\"rooting\":false,\"sensor_only\":false,\"suspend_parent\":false,\"suspend_process\":false},\"pattern_id\":5761,\"platform\":\"Windows\",\"poly_id\":\"AACSASiWEnxKlIIaw8LWC-8XINBatE2uYZaWqRAAATiEEfPFwhoY4opnh1CQjm0tvUQp4Lu5eOAx29ZVj-qrGrA==\",\"process_end_time\":\"1699034421\",\"process_id\":\"399748687993\",\"process_start_time\":\"1699034413\",\"product\":\"epp\",\"quarantined_files\":[{\"filename\":\"\\\\Device\\\\Volume3\\\\Users\\\\yuvraj.mahajan\\\\AppData\\\\Local\\\\Temp\\\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\\\pfSenseFirewallOpenVPNClients\\\\Windows\\\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe\",\"id\":\"2ce412d17b334ad4adc8c1c54dbfec4b_b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"state\":\"quarantined\"}],\"scenario\":\"NGAV\",\"severity\":30,\"sha1\":\"0000000000000000000000000000000000000000\",\"sha256\":\"b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd\",\"show_in_ui\":true,\"source_products\":[\"FalconInsight\"],\"source_vendors\":[\"CrowdStrike\"],\"status\":\"new\",\"tactic\":\"MachineLearning\",\"tactic_id\":\"CSTA0004\",\"technique\":\"Adware/PUP\",\"technique_id\":\"CST0000\",\"timestamp\":\"2023-11-03T18:00:22.328Z\",\"tree_id\":\"1931778\",\"tree_root\":\"38687993\",\"triggering_process_graph_id\":\"pid:2ce4124ad4adc8c1c54dbfec4b:399748687993\",\"type\":\"ldt\",\"updated_timestamp\":\"2023-11-03T19:00:23.985007341Z\",\"user_id\":\"S-1-5-21-1909377054-3469629671-4104191496-4425\",\"user_name\":\"mohit.jha\"}", + "severity": 21, + "type": [ + "start" + ] + }, + "file": { + "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "path": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe" + }, + "host": { + "domain": "ABC.LOCAL", + "hostname": "ABC709-1175", + "id": "2ce412d17b334ad4adc8c1c54dbfec4b", + "ip": [ + "81.2.69.142" + ], + "mac": [ + "AB-21-48-61-05-B2" + ], + "os": { + "full": "Windows11", + "platform": "Windows", + "type": "windows" + } + }, + "input": { + "type": "cel" + }, + "message": "ThisfilemeetstheAdware/PUPAnti-malwareMLalgorithm'slowest-confidencethreshold.", + "process": { + "end": "2023-11-03T18:00:21.000Z", + "entity_id": "399748687993", + "executable": "\\Device\\HarddiskVolume3\\Users\\yuvraj.mahajan\\AppData\\Local\\Temp\\Temp3cc4c329-2896-461f-9dea-88009eb2e8fb_pfSenseFirewallOpenVPNClients-20230823T120504Z-001.zip\\pfSenseFirewallOpenVPNClients\\Windows\\openvpn-cds-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "hash": { + "md5": "cdf9cfebb400ce89d5b6032bfcdc693b", + "sha1": "0000000000000000000000000000000000000000", + "sha256": "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd" + }, + "name": "openvpn-abc-pfSense-UDP4-1194-pfsense-install-2.6.5-I001-amd64.exe", + "parent": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "entity_id": "392736520876", + "executable": "\\Device\\HarddiskVolume3\\Windows\\explorer.exe", + "hash": { + "md5": "8cc3fcdd7d52d2d5221303c213e044ae", + "sha256": "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4" + }, + "name": "explorer.exe", + "pid": 392736520876 + }, + "pid": 399748687993, + "start": "2023-11-03T18:00:13.000Z", + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } + }, + "related": { + "hash": [ + "b07f77fd3f9828b2c9d61f8a36609741", + "cdf9cfebb400ce89d5b6032bfcdc693b", + "b26a6791b72753d2317efd5e1363d93fdd33e611c8b9e08a3b24ea4d755b81fd", + "8cc3fcdd7d52d2d5221303c213e044ae", + "0b25d56bd2b4d8a6df45beff7be165117fbf7ba6ba2c07744f039143866335e4", + "0000000000000000000000000000000000000000" + ], + "hosts": [ + "ABC.LOCAL", + "ABC709-1175" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "uid:2ce412d17b334ad4adc8c1c54dbfec4b:S-1-5-21-1909377054-3469629671-4104191496-4425", + "S-1-5-21-1909377054-3469629671-4104191496-4425", + "yuvraj.mahajan", + "mohit.jha" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "crowdstrike-alert" + ], + "threat": { + "framework": "CrowdStrike Falcon Detections Framework", + "tactic": { + "id": [ + "CSTA0004" + ], + "name": [ + "MachineLearning" + ] + }, + "technique": { + "id": [ + "CST0000" + ], + "name": [ + "Adware/PUP" + ] + } + }, + "user": { + "id": "S-1-5-21-1909377054-3469629671-4104191496-4425", + "name": "mohit.jha" + } +} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/agent/stream/log.yml.hbs b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/agent/stream/log.yml.hbs new file mode 100644 index 0000000000..f06f0a6c29 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/agent/stream/log.yml.hbs @@ -0,0 +1,26 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: ['\.gz$'] +# Crowdstrike Falcon SIEM connector logs are multiline JSON by default +multiline.pattern: '^{' +multiline.negate: true +multiline.match: after +multiline.max_lines: 5000 +multiline.timeout: 10 +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +allow_deprecated_use: true +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml new file mode 100644 index 0000000000..5246d157d7 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/auth_activity_audit.yml @@ -0,0 +1,97 @@ +--- +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - append: + field: event.category + value: iam + tag: append_iam_category + if: ctx.crowdstrike?.event?.OperationName != null && !["twoFactorAuthenticate", "userAuthenticate"].contains(ctx.crowdstrike.event.OperationName) + - append: + field: event.category + value: authentication + tag: append_auth_category + if: ctx.crowdstrike?.event?.OperationName != null && ["twoFactorAuthenticate", "userAuthenticate"].contains(ctx.crowdstrike.event.OperationName) + - append: + field: event.type + value: user + tag: append_user_type + if: ctx.crowdstrike?.event?.OperationName != null && ["activateUser", "changePassword", "confirmResetPassword", "deactivateUser", "grantUserRoles", "grantCustomerSubscriptions", "revokeUserRoles", "revokeCustomerSubscriptions", "updateUser", "updateUserRoles"].contains(ctx.crowdstrike.event.OperationName) + - append: + field: event.type + value: change + tag: append_change_type + if: ctx.crowdstrike?.event?.OperationName != null && ["activateUser", "changePassword", "confirmResetPassword", "deactivateUser", "grantUserRoles", "grantCustomerSubscriptions", "revokeUserRoles", "revokeCustomerSubscriptions", "updateUser", "updateUserRoles"].contains(ctx.crowdstrike.event.OperationName) + - append: + field: event.type + value: creation + tag: append_creation_type + if: ctx.crowdstrike?.event?.OperationName != null && ctx.crowdstrike.event.OperationName == "createUser" + - append: + field: event.type + value: deletion + tag: append_deletion_type + if: ctx.crowdstrike?.event?.OperationName != null && ctx.crowdstrike.event.OperationName == "deleteUser" + - grok: + tag: grok_crowdstrike_event_UserId_70ae09b7 + field: crowdstrike.event.UserId + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' + ignore_missing: true + ignore_failure: true + - set: + field: user.email + copy_from: crowdstrike.event.UserId + tag: copy_user_email + if: ctx.crowdstrike?.event?.UserId != null && ctx.crowdstrike.event.UserId.indexOf("@") > 0 + - append: + field: event.action + value: '{{{crowdstrike.event.OperationName}}}' + tag: append_operation_name + if: ctx.crowdstrike?.event?.OperationName != null + - append: + field: event.action + value: AuthActivityAuditEvent + tag: append_auth_activity_audit_event + if: ctx.event?.action == null + - set: + field: event.outcome + value: success + tag: set_success_outcome + if: ctx.crowdstrike?.event?.Success == true + - set: + field: event.outcome + value: failure + tag: set_failure_outcome + if: ctx.crowdstrike?.event?.Success == false + - set: + field: event.outcome + value: unknown + tag: set_unknown_outcome + if: ctx.event?.outcome == null + - rename: + field: crowdstrike.event.ServiceName + target_field: message + tag: rename_service_name + ignore_missing: true + - rename: + field: crowdstrike.event.UserIp + target_field: source.ip + tag: rename_user_ip + ignore_missing: true + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml new file mode 100644 index 0000000000..2d52e72e62 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/cspm_events.yml @@ -0,0 +1,171 @@ +--- +processors: + - set: + tag: set_event_kind_39295792 + field: event.kind + value: alert + - append: + field: event.category + value: configuration + tag: append_configuration_category + - append: + field: event.type + value: + - info + - change + tag: append_info_change_type + - set: + tag: set_event_outcome_312fe321 + field: event.outcome + value: success + if: ctx.crowdstrike?.event?.Disposition == "Passed" + - set: + tag: set_event_outcome_6c6787f5 + field: event.outcome + value: failure + if: ctx.crowdstrike?.event?.Disposition == "Failed" + - rename: + field: crowdstrike.event.EventAction + target_field: event.action + ignore_missing: true + tag: rename_event_action + - rename: + field: crowdstrike.event.ReportUrl + target_field: event.reference + ignore_missing: true + tag: rename_event_resource_url + - json: + field: crowdstrike.event.ResourceAttributes + tag: decode_json_resource_attributes + if: ctx.crowdstrike?.event?.ResourceAttributes != null + - rename: + field: crowdstrike.event.EventSource + target_field: event.provider + ignore_missing: true + tag: rename_event_source + - rename: + field: crowdstrike.event.AccountId + target_field: cloud.account.id + ignore_missing: true + if: ctx.cloud?.account?.id == null + tag: rename_cloud_account_id + - rename: + field: crowdstrike.event.Region + target_field: cloud.region + ignore_missing: true + if: ctx.cloud?.region == null + tag: rename_cloud_region + #CSPMS uses Platform, CSPMIOA uses Provider + - rename: + field: crowdstrike.event.CloudProvider + target_field: cloud.provider + ignore_missing: true + if: ctx.cloud?.provider == null + tag: rename_cloud_provider + - rename: + field: crowdstrike.event.CloudPlatform + target_field: cloud.provider + ignore_missing: true + if: ctx.cloud?.provider == null + tag: rename_cloud_platform + - rename: + field: crowdstrike.event.CloudService + target_field: cloud.service.name + ignore_missing: true + if: ctx.cloud?.service?.name == null + tag: rename_cloud_service + - rename: + field: crowdstrike.event.PolicyStatement + target_field: message + ignore_missing: true + tag: rename_policy_statement + - rename: + field: crowdstrike.event.UserName + target_field: user.name + ignore_missing: true + tag: rename_user_name + - rename: + field: crowdstrike.event.UserId + target_field: user.id + ignore_missing: true + tag: rename_user_id + - rename: + field: crowdstrike.event.UserSourceIp + target_field: source.ip + ignore_missing: true + tag: rename_user_source_ip + - date: + field: crowdstrike.event.Timestamp + target_field: "@timestamp" + timezone: UTC + formats: + - UNIX_MS + tag: date_timestamp_ms + if: "ctx.crowdstrike?.event?.Timestamp != null && String.valueOf(ctx.crowdstrike.event.Timestamp).length() >= 12" + - date: + field: crowdstrike.event.Timestamp + target_field: "@timestamp" + timezone: UTC + formats: + - UNIX + tag: date_timestamp + if: 'ctx.crowdstrike?.event?.Timestamp != null && String.valueOf(ctx.crowdstrike.event.Timestamp).length() <= 11' + - date: + field: crowdstrike.event.EventCreatedTimestamp + target_field: "@timestamp" + timezone: UTC + formats: + - UNIX_MS + tag: date_event_created_timestamp_ms + if: "ctx.crowdstrike?.event?.EventCreatedTimestamp != null && String.valueOf(ctx.crowdstrike.event.EventCreatedTimestamp).length() >= 12" + - date: + field: crowdstrike.event.EventCreatedTimestamp + target_field: "@timestamp" + timezone: UTC + formats: + - UNIX + tag: date_event_created_timestamp + if: 'ctx.crowdstrike?.event?.EventCreatedTimestamp != null && String.valueOf(ctx.crowdstrike.event.EventCreatedTimestamp).length() <= 11' + - remove: + field: crowdstrike.event.ResourceCreateTime + ignore_missing: true + tag: remove_resource_create_time + if: ctx.crowdstrike?.event?.ResourceCreateTime != null && ctx.crowdstrike.event.ResourceCreateTime == 0 + - date: + field: crowdstrike.event.ResourceCreateTime + target_field: crowdstrike.event.ResourceCreateTime + timezone: UTC + formats: + - UNIX_MS + tag: date_resource_create_time_ms + if: "ctx.crowdstrike?.event?.ResourceCreateTime != null && ctx.crowdstrike.event.ResourceCreateTime != 0 && String.valueOf(ctx.crowdstrike.event.ResourceCreateTime).length() >= 12" + - date: + field: crowdstrike.event.ResourceCreateTime + target_field: crowdstrike.event.ResourceCreateTime + timezone: UTC + formats: + - UNIX + tag: date_resource_create_time + if: 'ctx.crowdstrike?.event?.ResourceCreateTime != null && ctx.crowdstrike.event.ResourceCreateTime != 0 && String.valueOf(ctx.crowdstrike.event.ResourceCreateTime).length() <= 11' + - append: + field: threat.tactic.name + value: "{{{crowdstrike.event.Tactic}}}" + tag: append_tactic_name + if: ctx.crowdstrike?.event?.Tactic != null + - append: + field: threat.technique.name + value: "{{{crowdstrike.event.Technique}}}" + tag: append_technique_name + if: ctx.crowdstrike?.event?.Technique != null +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/customer_ioc_event.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/customer_ioc_event.yml new file mode 100644 index 0000000000..cc25d2bf9c --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/customer_ioc_event.yml @@ -0,0 +1,218 @@ +--- +description: Pipeline for processing customer IOC event logs. +processors: + - set: + field: event.kind + value: enrichment + tag: set_event_kind_to_enrichment + - append: + field: event.category + value: threat + tag: append_event_category_threat + - append: + field: event.type + value: indicator + tag: append_event_type_indicator + - set: + field: host.hostname + tag: set_host_hostname_from_event_ComputerName + copy_from: crowdstrike.event.ComputerName + ignore_empty_value: true + - set: + field: host.name + tag: set_host_name_from_event_ComputerName + copy_from: crowdstrike.event.ComputerName + ignore_empty_value: true + - set: + field: host.id + tag: set_host_id_from_event_DeviceId + copy_from: crowdstrike.event.DeviceId + ignore_empty_value: true + - set: + field: file.name + tag: set_file_name_from_event_FileName + copy_from: crowdstrike.event.FileName + ignore_empty_value: true + - set: + field: file.path + tag: set_file_path_from_event_FilePath + copy_from: crowdstrike.event.FilePath + ignore_empty_value: true + - convert: + field: crowdstrike.event.IPv4 + tag: convert_IPv4_to_ip + target_field: threat.indicator.ip + type: ip + ignore_missing: true + if: ctx.crowdstrike?.event?.IPv4 != '' + on_failure: + - append: + tag: append_error_message_3dc7a86b + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.IPv6 + tag: convert_IPv6_to_ip + target_field: threat.indicator.ip + type: ip + ignore_missing: true + if: ctx.crowdstrike?.event?.IPv6 != '' + on_failure: + - append: + tag: append_error_message_ba148e71 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - geoip: + tag: geoip_threat_indicator_ip_to_threat_indicator_geo_1b4aa382 + field: threat.indicator.ip + target_field: threat.indicator.geo + ignore_missing: true + - geoip: + tag: geoip_threat_indicator_ip_to_threat_indicator_as_22b400d3 + database_file: GeoLite2-ASN.mmdb + field: threat.indicator.ip + target_field: threat.indicator.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + tag: rename_threat_indicator_as_asn_to_threat_indicator_as_number_3cdd79f1 + field: threat.indicator.as.asn + target_field: threat.indicator.as.number + ignore_missing: true + - rename: + tag: rename_threat_indicator_as_organization_name_to_threat_indicator_as_organization_name_dcd73ab7 + field: threat.indicator.as.organization_name + target_field: threat.indicator.as.organization.name + ignore_missing: true + - set: + field: process.parent.entity_id + tag: set_process_parent_entity_id_from_event_ParentProcessId + copy_from: crowdstrike.event.ParentProcessId + ignore_empty_value: true + - set: + field: process.entity_id + tag: set_process_entity_id_from_event_ProcessId + copy_from: crowdstrike.event.ProcessId + ignore_empty_value: true + - date: + field: crowdstrike.event.ProcessStartTime + tag: date_ProcessStartTime + target_field: process.start + formats: + - UNIX + if: ctx.crowdstrike?.event?.ProcessStartTime != null && ctx.crowdstrike.event.ProcessStartTime != '' + on_failure: + - append: + tag: append_error_message_f483d3bc + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # set threat indicator name based on available fields in the event. Only one field will be available at a time. + - set: + field: threat.indicator.name + tag: set_threat_indicator_name_from_event_SHA256String + copy_from: crowdstrike.event.SHA256String + ignore_empty_value: true + - set: + field: threat.indicator.name + tag: set_threat_indicator_name_from_event_MD5String + copy_from: crowdstrike.event.MD5String + ignore_empty_value: true + - set: + field: threat.indicator.name + tag: set_threat_indicator_name_from_event_DomainName + copy_from: crowdstrike.event.DomainName + ignore_empty_value: true + - set: + field: threat.indicator.name + tag: set_threat_indicator_name_from_event_IPv4 + copy_from: crowdstrike.event.IPv4 + ignore_empty_value: true + - set: + field: threat.indicator.name + tag: set_threat_indicator_name_from_event_IPv6 + copy_from: crowdstrike.event.IPv6 + ignore_empty_value: true + # set threat indicator type based on available fields in the event. Only one field will be available at a time. + - set: + field: threat.indicator.type + tag: set_threat_indicator_type_to_ip_v4_addr + value: ipv4-addr + if: ctx.crowdstrike?.event?.IPv4 != null + - set: + field: threat.indicator.type + tag: set_threat_indicator_type_to_ip_v6_addr + value: ipv6-addr + if: ctx.crowdstrike?.event?.IPv6 != null + - set: + field: threat.indicator.type + tag: set_threat_indicator_type_to_domain_name + value: domain-name + if: ctx.crowdstrike?.event?.DomainName != null + - set: + field: threat.indicator.type + tag: set_threat_indicator_type_to_file + value: file + if: ctx.crowdstrike?.event?.SHA256String != null || ctx.crowdstrike?.event?.MD5String != null + - append: + field: related.ip + value: '{{{threat.indicator.ip}}}' + allow_duplicates: false + tag: append_related_ip + if: ctx.threat?.indicator?.ip != null && ctx.threat.indicator.ip != "" + - append: + field: related.hash + value: '{{{crowdstrike.event.SHA256String}}}' + allow_duplicates: false + tag: append_related_hash + if: ctx.crowdstrike?.event?.SHA256String != null && ctx.crowdstrike.event.SHA256String != "" + - append: + field: related.hash + value: '{{{crowdstrike.event.MD5String}}}' + allow_duplicates: false + tag: append_related_hash_b422ad09 + if: ctx.crowdstrike?.event?.MD5String != null && ctx.crowdstrike.event.MD5String != "" + - append: + field: related.hosts + value: '{{{crowdstrike.event.DomainName}}}' + allow_duplicates: false + tag: append_related_hosts + if: ctx.crowdstrike?.event?.DomainName != null && ctx.crowdstrike.event.DomainName != "" + - remove: + field: + - crowdstrike.event.ComputerName + - crowdstrike.event.DeviceId + - crowdstrike.event.FileName + - crowdstrike.event.FilePath + - crowdstrike.event.ParentProcessId + - crowdstrike.event.ProcessId + - crowdstrike.event.ProcessStartTime + tag: remove_custom_duplicate_fields + ignore_missing: true + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + tag: append_tags_9fe66b2c + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml new file mode 100644 index 0000000000..e16e950f0b --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/data_protection_detection_summary.yml @@ -0,0 +1,310 @@ +--- +description: Pipeline for processing Data Protection Detection Summary events. +processors: + # event categorization fields + - set: + field: event.kind + value: alert + tag: set_event_kind + - append: + field: event.category + value: malware + tag: append_malware_category + - append: + field: event.type + value: info + tag: append_info_type + + # converts + - convert: + field: crowdstrike.event.DataVolume + tag: convert_DataVolume_to_long + type: long + ignore_missing: true + on_failure: + - append: + tag: append_error_message_ab90b5c9 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.ContentPatterns.ConfidenceLevel + tag: convert_ContentPatterns_ConfidenceLevel_to_long + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_event_ContentPatterns_ConfidenceLevel_b676cd34 + field: crowdstrike.event.ContentPatterns.ConfidenceLevel + - append: + tag: append_error_message_06f0ca6b + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.ContentPatterns.MatchCount + tag: convert_ContentPatterns_MatchCount_to_long + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_event_ContentPatterns_MatchCount_80ca383c + field: crowdstrike.event.ContentPatterns.MatchCount + - append: + tag: append_error_message_3c072e8f + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.FilesEgressedCount + tag: convert_FilesEgressedCount_to_long + type: long + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_event_FilesEgressedCount_2907b839 + field: crowdstrike.event.FilesEgressedCount + - append: + tag: append_error_message_6339ac56 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.UserNotified + tag: convert_UserNotified_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_event_UserNotified_35bb8357 + field: crowdstrike.event.UserNotified + - append: + tag: append_error_message_a6eea08b + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.UserMapped + tag: convert_UserMapped_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_event_UserMapped_87635939 + field: crowdstrike.event.UserMapped + - append: + tag: append_error_message_09142f9e + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: crowdstrike.event.IsClipboard + tag: convert_IsClipboard_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + tag: remove_crowdstrike_event_IsClipboard_a661bb33 + field: crowdstrike.event.IsClipboard + - append: + tag: append_error_message_3be036d0 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: crowdstrike.event.EventTimestamp + tag: date_EventTimestamp + target_field: crowdstrike.event.EventTimestamp + timezone: UTC + formats: + - UNIX + if: ctx.crowdstrike?.event?.EventTimestamp != null + on_failure: + - append: + tag: append_error_message_061def81 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # Anomaly-based detections contains SessionStartTimestamp and SessionEndTimestamp fields + - date: + field: crowdstrike.event.SessionStartTimestamp + tag: date_SessionStartTimestamp + target_field: 'event.start' + timezone: UTC + formats: + - UNIX + if: ctx.crowdstrike?.event?.SessionStartTimestamp != null + on_failure: + - append: + tag: append_error_message_d22c109c + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: crowdstrike.event.SessionEndTimestamp + tag: date_SessionEndTimestamp + target_field: 'event.end' + timezone: UTC + formats: + - UNIX + if: ctx.crowdstrike?.event?.SessionEndTimestamp != null + on_failure: + - append: + tag: append_error_message_bcb83d0c + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Determine event.duration from event start and end date. + tag: script_to_set_event_duration + lang: painless + if: ctx.event?.start != null && ctx.event?.end != null + source: | + Instant event_start = ZonedDateTime.parse(ctx.event.start).toInstant(); + Instant event_end = ZonedDateTime.parse(ctx.event.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(event_start, event_end); + on_failure: + - append: + tag: append_error_message_16889e98 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # ECS mappings + - set: + field: message + tag: set_message_from_event_Description + copy_from: crowdstrike.event.Description + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id_from_event_EgressEventId + copy_from: crowdstrike.event.EgressEventId + ignore_empty_value: true + - set: + field: event.action + tag: set_event_action_from_event_Name + copy_from: crowdstrike.event.Name + ignore_empty_value: true + - set: + field: event.reference + tag: set_event_reference_from_event_FalconHostLink + copy_from: crowdstrike.event.FalconHostLink + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.crowdstrike?.event?.ResponseAction == 'allowed' + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.crowdstrike?.event?.ResponseAction == 'blocked' + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: unknown + override: false + - set: + field: file.hash.sha256 + tag: set_file_hash_sha256_from_event_ContentSha + copy_from: crowdstrike.event.ContentSha + ignore_empty_value: true + - append: + field: related.hash + tag: append_file_hash_sha256_to_related_hash + value: '{{{file.hash.sha256}}}' + allow_duplicates: false + if: ctx.file?.hash?.sha256 != null + - set: + field: file.name + tag: set_file_name_from_event_Filename + copy_from: crowdstrike.event.Filename + ignore_empty_value: true + - script: + lang: painless + tag: extract_file_extension_from_filename + if: ctx.crowdstrike?.event?.Filename != null + source: |- + def idx = ctx.crowdstrike.event.Filename.lastIndexOf('.'); + if (idx != -1) { + ctx.file = ctx.file ?: [:]; + ctx.file.extension = ctx.crowdstrike.event.Filename.substring(idx + 1).toLowerCase(); + } + on_failure: + - append: + tag: append_error_message_e648f418 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: file.size + tag: set_file_size_from_event_DataVolume + copy_from: crowdstrike.event.DataVolume + ignore_empty_value: true + - set: + field: host.name + tag: set_host_name_from_event_Hostname + copy_from: crowdstrike.event.Hostname + ignore_empty_value: true + - lowercase: + field: crowdstrike.event.Platform + tag: lowercase_Platform + target_field: host.os.platform + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_event_policy_id + copy_from: crowdstrike.event.Policy.ID + ignore_empty_value: true + - set: + field: rule.name + tag: set_rule_name_from_event_policy_name + copy_from: crowdstrike.event.Policy.Name + ignore_empty_value: true + - set: + field: user.id + tag: set_user_id_from_event_UserSid + copy_from: crowdstrike.event.UserSid + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_event_UserName + copy_from: crowdstrike.event.UserName + ignore_empty_value: true + + # clean up + - remove: + field: + - crowdstrike.event.ContentSha + - crowdstrike.event.DataVolume + - crowdstrike.event.Description + - crowdstrike.event.EgressEventId + - crowdstrike.event.FalconHostLink + - crowdstrike.event.Filename + - crowdstrike.event.Hostname + - crowdstrike.event.Name + - crowdstrike.event.Platform + - crowdstrike.event.Policy + - crowdstrike.event.SessionStartTimestamp + - crowdstrike.event.SessionEndTimestamp + - crowdstrike.event.UserSid + tag: remove_custom_duplicate_fields + ignore_missing: true + + # error handling + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + tag: append_tags_9fe66b2c + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 0000000000..72bcccbaca --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,669 @@ +--- +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - remove: + field: + - organization + - division + - team + ignore_missing: true + if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String + tag: remove_agentless_tags + description: >- + Removes the fields added by Agentless as metadata, + as they can collide with ECS fields. + - set: + tag: set_ecs_version_f5923549 + field: ecs.version + value: '8.17.0' + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: crowdstrike + on_failure: + - append: + tag: append_error_message_8bb0f55c + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - drop: + tag: drop_non_object_crowdstrike + description: Drop documents where parsed event.original is not a JSON object (e.g. HTTP status 400). These cannot be meaningfully processed and would cause mapping conflicts. + if: ctx.crowdstrike != null && !(ctx.crowdstrike instanceof Map) + - remove: + tag: remove_981d9741 + field: + - host.name + ignore_missing: true + - set: + tag: set_observer_vendor_c6436b11 + field: observer.vendor + value: Crowdstrike + - set: + tag: set_observer_product_8aa28b50 + field: observer.product + value: Falcon + # Can be both string and int, depending on type, should always be string, field is mapped as keyword + - convert: + field: crowdstrike.event.IncidentType + type: string + tag: convert_incident_type + ignore_missing: true + # Can be both string and int, depending on type, should always be string, field is mapped as keyword + - convert: + field: crowdstrike.event.PatternId + type: string + tag: convert_pattern_id + ignore_missing: true + # Script to convert windows NT timestamp to unix timestamp + - script: + tag: convert-nt-timestamp-to-unix + description: Convert Windows NT timestamps to UNIX timestamps for multiple fields. + lang: painless + if: ctx.crowdstrike?.event instanceof Map + params: + values: + - 'StartTime' + - 'EndTime' + - 'ContextTimeStamp' + - 'EndTimestamp' + - 'IncidentEndTime' + - 'IncidentStartTime' + - 'ItemPostedTimestamp' + - 'MatchedTimestamp' + - 'MostRecentActivityTimeStamp' + - 'PrecedingActivityTimeStamp' + - 'StartTimestamp' + - 'UTCTimestamp' + # Process to convert LDAP/WIN32 FILETIME to Unix (milliseconds) timestamp. + # More details can be found here https://devblogs.microsoft.com/oldnewthing/20030905-02/?p=42653 and here https://www.epochconverter.com/ldap + source: | + def convertToUnix(def longValue) { + if (longValue > 0x0100000000000000L) { + return (longValue / 10000) - 11644473600000L; + } + return longValue; + } + + for (def field : params.values) { + def fieldValue = ctx.crowdstrike.event[field]; + if (fieldValue != null) { + if (fieldValue instanceof long) { + ctx.crowdstrike.event[field] = convertToUnix(fieldValue); + } else if (fieldValue instanceof String) { + if (!fieldValue.contains('.')) { + def timestamp = Long.parseLong(fieldValue); + ctx.crowdstrike.event[field] = convertToUnix(timestamp); + } + } + } + } + # Handle event Tags, which can be a string or a list of maps. + - script: + tag: convert-Tags-and-copy-to-tags + description: Convert tags from nested type and append to ctx.tags. + lang: painless + if: ctx.crowdstrike?.event?.Tags != null + source: | + if (ctx.crowdstrike.event.Tags instanceof List) { + for (tag in ctx.crowdstrike.event.Tags) { + if (tag instanceof Map) { + ctx.tags.add(tag["Key"] + ":" + tag["ValueString"]); + } + } + } else if (ctx.crowdstrike.event.Tags instanceof String) { + def values = ctx.crowdstrike.event.Tags.splitOnToken(','); + for (value in values) { + ctx.tags.add(value.trim()); + } + } + # UTCTimestamp should exist in each event, however on the off-chance it might not be (Like RemoteSession Start/End), then we have to use eventCreation time. + - date: + field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX_MS + tag: date_utc_timestamp_ms + if: 'ctx.crowdstrike?.event?.UTCTimestamp != null && String.valueOf(ctx.crowdstrike.event.UTCTimestamp).length() >= 12' + - date: + field: crowdstrike.event.UTCTimestamp + timezone: UTC + formats: + - UNIX + tag: date_utc_timestamp + if: 'ctx.crowdstrike?.event?.UTCTimestamp != null && String.valueOf(ctx.crowdstrike.event.UTCTimestamp).length() <= 11' + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: event.created + timezone: UTC + formats: + - UNIX + tag: date_event_creation_time + if: 'ctx.crowdstrike?.metadata?.eventCreationTime != null && String.valueOf(ctx.crowdstrike.metadata.eventCreationTime).length() <= 11' + - date: + field: crowdstrike.metadata.eventCreationTime + target_field: event.created + timezone: UTC + formats: + - UNIX_MS + tag: date_event_creation_time_ms + if: 'ctx.crowdstrike?.metadata?.eventCreationTime != null && String.valueOf(ctx.crowdstrike.metadata.eventCreationTime).length() >= 12' + - set: + field: '@timestamp' + copy_from: event.created + tag: copy_timestamp_from_event_created + if: ctx.crowdstrike?.event?.UTCTimestamp == null && ctx.event?.created != null + # Assign severities to conform to security rules values + # + # 21 = Low + # 47 = Medium + # 73 = High + # 99 = Critical + # + # Leave crowdstrike values in place, since they have their own semantics. + - script: + tag: script_5d52b95d + lang: painless + if: ctx.crowdstrike?.event?.SeverityName instanceof String + source: |- + ctx.event = ctx.event ?: [:]; + String name = ctx.crowdstrike.event.SeverityName; + if (name.equalsIgnoreCase("low") || name.equalsIgnoreCase("info") || name.equalsIgnoreCase("informational")) { + ctx.event.severity = 21; + } else if (name.equalsIgnoreCase("medium")) { + ctx.event.severity = 47; + } else if (name.equalsIgnoreCase("high")) { + ctx.event.severity = 73; + } else if (name.equalsIgnoreCase("critical")) { + ctx.event.severity = 99; + } + - script: + lang: painless + tag: script_remove_null_event + if: ctx.crowdstrike?.event instanceof Map + params: + values: + - null + - '' + - '-' + - 'N/A' + - 'NA' + - 0 + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + tag: script_remove_null_metadata + if: ctx.crowdstrike?.metadata instanceof Map + params: + values: + - null + - '' + - '-' + - 'N/A' + - 'NA' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + tag: script_enrich_command_line + if: ctx.crowdstrike?.event?.CommandLine != null + source: | + def commandLine = ctx.crowdstrike?.event?.CommandLine; + commandLine = commandLine.trim(); + + if (commandLine != "") { + def args = new ArrayList(Arrays.asList(/ /.split(commandLine))); + args.removeIf(arg -> arg == ""); + + ctx.process = [ + 'command_line': commandLine, + 'args': args, + 'executable': args.get(0) + ] + } + + - script: + lang: painless + tag: script_enrich_command_line_parent + if: ctx.crowdstrike?.event?.ParentCommandLine != null + source: | + def parentCommandLine = ctx.crowdstrike?.event?.ParentCommandLine; + parentCommandLine = parentCommandLine.trim(); + + if (parentCommandLine != "") { + def args = new ArrayList(Arrays.asList(/ /.split(parentCommandLine))); + args.removeIf(arg -> arg == ""); + if (ctx.process == null) { + ctx.process = new HashMap(); + } + ctx.process.parent = [ + 'command_line': parentCommandLine, + 'args': args, + 'executable': args.get(0) + ] + } + + + - pipeline: + name: '{{ IngestPipeline "customer_ioc_event" }}' + tag: pipeline_customer_ioc_event + if: ctx.crowdstrike?.metadata?.eventType == "CustomerIOCEvent" + - pipeline: + name: '{{ IngestPipeline "data_protection_detection_summary" }}' + tag: pipeline_data_protection_detection_summary + if: ctx.crowdstrike?.metadata?.eventType == "DataProtectionDetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "detection_summary" }}' + tag: pipeline_detection_summary + if: ctx.crowdstrike?.metadata?.eventType == "DetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "epp_detection_summary" }}' + tag: pipeline_epp_detection_summary + if: ctx.crowdstrike?.metadata?.eventType == "EppDetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "mobile_detection_summary" }}' + tag: pipeline_mobile_detection_summary + if: ctx.crowdstrike?.metadata?.eventType == "MobileDetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "incident_summary" }}' + tag: pipeline_incident_summary + if: ctx.crowdstrike?.metadata?.eventType == "IncidentSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "xdr_detection_summary" }}' + tag: pipeline_xdr_summary + if: ctx.crowdstrike?.metadata?.eventType == "XdrDetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "ipd_detection_summary" }}' + tag: pipeline_ipd_summary + if: ctx.crowdstrike?.metadata?.eventType == "IdpDetectionSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "recon_notification_summary" }}' + tag: pipeline_recon_nofitication_summary + if: ctx.crowdstrike?.metadata?.eventType == "ReconNotificationSummaryEvent" + - pipeline: + name: '{{ IngestPipeline "identity_protection_incident" }}' + tag: pipeline_identity_protection_incident + if: ctx.crowdstrike?.metadata?.eventType == "IdentityProtectionEvent" + - pipeline: + name: '{{ IngestPipeline "cspm_events" }}' + tag: pipeline_cspm_events + if: "['CSPMIOAStreamingEvent','CSPMSearchStreamingEvent'].contains(ctx.crowdstrike?.metadata?.eventType)" + - pipeline: + name: '{{ IngestPipeline "user_activity_audit" }}' + tag: pipeline_user_activity_audit + if: ctx.crowdstrike?.metadata?.eventType == "UserActivityAuditEvent" + - pipeline: + name: '{{ IngestPipeline "auth_activity_audit" }}' + tag: pipeline_auth_activity_audit + if: ctx.crowdstrike?.metadata?.eventType == "AuthActivityAuditEvent" + - pipeline: + name: '{{ IngestPipeline "firewall_match" }}' + tag: pipeline_firewall_match + if: ctx.crowdstrike?.metadata?.eventType == "FirewallMatchEvent" + - pipeline: + name: '{{ IngestPipeline "remote_response_session_start" }}' + tag: pipeline_remote_response_session_start + if: ctx.crowdstrike?.metadata?.eventType == "RemoteResponseSessionStartEvent" + - pipeline: + name: '{{ IngestPipeline "remote_response_session_end" }}' + tag: pipeline_remote_response_session_end + if: ctx.crowdstrike?.metadata?.eventType == "RemoteResponseSessionEndEvent" + - pipeline: + name: '{{ IngestPipeline "scheduled_report_notification_event" }}' + tag: pipeline_scheduled_report_notification_event + if: ctx.crowdstrike?.metadata?.eventType == "ScheduledReportNotificationEvent" + - set: + field: process.entity_id + tag: set_process_entity_id + value: '{{{process.pid}}}' + ignore_empty_value: true + - set: + field: process.parent.entity_id + tag: set_process_parent_entity_id + value: '{{{process.parent.pid}}}' + ignore_empty_value: true + - set: + field: user.email + copy_from: user.name + tag: copy_user_email + if: ctx.user?.email == null && ctx.user?.name != null && ctx.user.name.indexOf("@") > 0 + - append: + field: related.user + value: '{{{user.name}}}' + allow_duplicates: false + tag: append_related_user_name + if: ctx.user?.name != null && ctx.user?.name != "" + - append: + field: related.user + value: '{{{user.email}}}' + allow_duplicates: false + tag: append_related_user_email + if: ctx.user?.email != null + - append: + field: related.ip + value: '{{{source.ip}}}' + allow_duplicates: false + tag: append_related_src_ip + if: ctx.source?.ip != null && ctx.source?.ip != "" + - append: + field: related.ip + value: '{{{destination.ip}}}' + allow_duplicates: false + tag: append_related_dst_ip + if: ctx.destination?.ip != null && ctx.destination?.ip != "" + - append: + field: related.hosts + value: '{{{host.name}}}' + allow_duplicates: false + tag: append_related_host + if: ctx.host?.name != null && ctx.host?.name != "" + - fingerprint: + fields: + - '@timestamp' + - crowdstrike.event.SessionId + - crowdstrike.event.DetectId + - crowdstrike.event.PID + - crowdstrike.event.RuleId + - crowdstrike.metadata.eventType + - crowdstrike.metadata.customerIDString + - crowdstrike.metadata.offset + target_field: _id + tag: fingerprint + ignore_missing: true + - geoip: + tag: geoip_source_ip_to_source_geo_da2e41b2 + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + tag: geoip_source_ip_to_source_as_28d69883 + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + tag: rename_source_as_asn_to_source_as_number_a917047d + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + tag: rename_source_as_organization_name_to_source_as_organization_name_f1362d0b + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - geoip: + tag: geoip_destination_ip_to_destination_geo_ab5e2968 + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + tag: geoip_destination_ip_to_destination_as_8a007787 + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + tag: rename_destination_as_asn_to_destination_as_number_3b459fcd + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + tag: rename_destination_as_organization_name_to_destination_as_organization_name_814bd459 + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + # If `device.id`` is not already mapped inside respective pipelines using SensorId, use `event.DeviceId` to map it. + - set: + field: device.id + copy_from: crowdstrike.event.DeviceId + ignore_empty_value: true + tag: rename_event_deviceid + if: ctx.device?.id == null + +# Threat Fields. + - foreach: + field: crowdstrike.event.MitreAttack + tag: foreach_event_MitreAttack_tactic_name + if: ctx.crowdstrike?.event?.MitreAttack instanceof List + processor: + append: + field: threat.tactic.name + tag: append_crowdstrike_event_MitreAttack_Tactic_into_threat_tactic_name + value: '{{{_ingest._value.Tactic}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.event.MitreAttack + tag: foreach_event_MitreAttack_tactic_id + if: ctx.crowdstrike?.event?.MitreAttack instanceof List + processor: + append: + field: threat.tactic.id + tag: append_crowdstrike_event_MitreAttack_TacticID_into_threat_tactic_id + value: '{{{_ingest._value.TacticID}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.event.MitreAttack + tag: foreach_event_MitreAttack_technique_name + if: ctx.crowdstrike?.event?.MitreAttack instanceof List + processor: + append: + field: threat.technique.name + tag: append_crowdstrike_event_MitreAttack_Technique_into_threat_technique_name + value: '{{{_ingest._value.Technique}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.event.MitreAttack + tag: foreach_event_MitreAttack_technique_id + if: ctx.crowdstrike?.event?.MitreAttack instanceof List + processor: + append: + field: threat.technique.id + tag: append_crowdstrike_event_MitreAttack_TechniqueID_into_threat_technique_id + value: '{{{_ingest._value.TechniqueID}}}' + allow_duplicates: false + - foreach: + field: crowdstrike.event.MitreAttack + tag: foreach_event_MitreAttack_pattern_id + if: ctx.crowdstrike?.event?.MitreAttack instanceof List + processor: + convert: + field: _ingest._value.PatternID + tag: convert_mitre_attack_pattern_id_to_string + type: string + ignore_missing: true + on_failure: + - remove: + tag: remove_ingest_value_pattern_id + field: _ingest._value.PatternID + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Set threat.framework from threat.* fields using prefix matching and preference order. + lang: painless + tag: script_threat_framework + if: ctx.threat != null + params: + framework_preference: + - MITRE ATT&CK + - CrowdStrike Falcon Detections Framework + framework_cs: 'CrowdStrike Falcon Detections Framework' + framework_ma: 'MITRE ATT&CK' + falcon_tactic_names: + - malware + - exploit + - post-exploit + - machine learning + - custom intelligence + - falcon overwatch + - falcon intel + - ai powered ioa + - insecure security posture + source: | + def tid = ctx.threat.tactic?.id; + def nid = ctx.threat.technique?.id; + def tname = ctx.threat.tactic?.name; + if ((tid == null || tid.isEmpty()) && (nid == null || nid.isEmpty()) && (tname == null || tname.isEmpty())) { + return; + } + Set frameworks = new HashSet(); + // Handling tactics prefixed with "CS" or "TA". + if (tid != null && !tid.isEmpty()) { + for (String t: tid) { + if (t.startsWith("CS")) { + frameworks.add(params.framework_cs); + } + else if (t.startsWith("TA")) { + frameworks.add(params.framework_ma); + } + } + } + // Handling techniques prefixed with "CS". + if (nid != null && !nid.isEmpty()) { + for (String t: nid) { + if (t.startsWith("CS")) { + frameworks.add(params.framework_cs); + } + } + } + // Handling falcon specific tactics. + if (tname != null && !tname.isEmpty()) { + for (String t: tname) { + if (params.falcon_tactic_names.contains(t.toLowerCase())) { + frameworks.add(params.framework_cs); + } + } + } + + if (frameworks.isEmpty()) { + return; + } + if (frameworks.size() == 1) { + ctx.threat.framework = frameworks.iterator().next(); + return; + } + + for (def preferred : params.framework_preference) { + if (frameworks.contains(preferred)) { + ctx.threat.framework = preferred; + return; + } + } + + // fallback when new frameworks are added and not yet in preference list + ctx.threat.framework = frameworks.iterator().next(); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + # This removes any fields that are mapped to ECS, but have not been renamed. + # This is to prevent the fields from being duplicated in the event. + - remove: + tag: remove_6a6abdd1 + field: + - _tmp_ + - crowdstrike.event.Technique + - crowdstrike.event.TechniqueId + - crowdstrike.event.Tactic + - crowdstrike.event.TacticId + - crowdstrike.event.Techniques + - crowdstrike.event.TechniqueIds + - crowdstrike.event.Tactics + - crowdstrike.event.TacticIds + - crowdstrike.event.IPv6Addresses + - crowdstrike.event.IPv4Addresses + - crowdstrike.event.ParentCommandLine + - crowdstrike.event.CommandLine + - crowdstrike.event.ProcessStartTime + - crowdstrike.event.IncidentStartTime + - crowdstrike.event.HostNames + - crowdstrike.event.DomainNames + - crowdstrike.event.Users + - crowdstrike.event.SHA256Hashes + - crowdstrike.event.MD5Hashes + - crowdstrike.event.Author + - crowdstrike.event.ProcessEndTime + - crowdstrike.event.IncidentEndTime + - crowdstrike.metadata.eventCreationTime + - crowdstrike.event.UTCTimestamp + - crowdstrike.event.ContextTimeStamp + - crowdstrike.event.PID + - crowdstrike.event.RemotePort + - crowdstrike.event.LocalPort + - crowdstrike.event.ConnectionDirection + - crowdstrike.event.StartTimestamp + - crowdstrike.event.StartTimeEpoch + - crowdstrike.event.AdditionalAccountDomain + - crowdstrike.event.AdditionalAccountName + - crowdstrike.event.AdditionalEndpointHostName + - crowdstrike.event.AdditionalEndpointIpAddress + - crowdstrike.event.AttemptOutcome + - crowdstrike.event.EndTimeEpoch + - crowdstrike.event.EndTimestamp + - crowdstrike.event.EndTime + - crowdstrike.event.EventCreatedTimestamp + - crowdstrike.event.StartTime + - crowdstrike.event.Disposition + - crowdstrike.event.MatchedTimestamp + - crowdstrike.event.Tags + - crowdstrike.event.UserId + - crowdstrike.event.UserName + ignore_missing: true + + - script: + description: This script processor iterates over the whole document to remove fields with null/empty values. + tag: remove_nulls + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml new file mode 100644 index 0000000000..13f32b838b --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml @@ -0,0 +1,212 @@ +--- +processors: + - set: + field: event.kind + value: alert + tag: set_event_kind + - append: + field: event.category + value: malware + tag: append_malware_category + - append: + field: event.type + value: info + tag: append_info_type + - rename: + field: crowdstrike.event.UserName + target_field: user.name + ignore_missing: true + tag: rename_user_name + - date: + field: crowdstrike.event.ProcessStartTime + target_field: process.start + timezone: UTC + formats: + - UNIX_MS + tag: date_process_start_time_ms + if: 'ctx.crowdstrike?.event?.ProcessStartTime != null && String.valueOf(ctx.crowdstrike.event.ProcessStartTime).length() >= 12' + - date: + field: crowdstrike.event.ProcessStartTime + target_field: process.start + timezone: UTC + formats: + - UNIX + tag: date_process_start_time + if: 'ctx.crowdstrike?.event?.ProcessStartTime != null && String.valueOf(ctx.crowdstrike.event.ProcessStartTime).length() <= 11' + - date: + field: crowdstrike.event.ProcessEndTime + target_field: process.end + timezone: UTC + formats: + - UNIX_MS + tag: date_process_end_time_ms + if: 'ctx.crowdstrike?.event?.ProcessEndTime != null && String.valueOf(ctx.crowdstrike.event.ProcessEndTime).length() >= 12' + - date: + field: crowdstrike.event.ProcessEndTime + target_field: process.end + timezone: UTC + formats: + - UNIX + tag: date_process_end_time + if: 'ctx.crowdstrike?.event?.ProcessEndTime != null && String.valueOf(ctx.crowdstrike.event.ProcessEndTime).length() <= 11' + - rename: + field: crowdstrike.event.LocalIP + target_field: source.ip + ignore_missing: true + tag: rename_local_ip + if: ctx.crowdstrike?.event?.LocalIP != null && ctx.crowdstrike?.event?.LocalIP != "" + - rename: + field: crowdstrike.event.ProcessId + target_field: process.pid + ignore_missing: true + tag: rename_process_id + - split: + field: crowdstrike.event.HostGroups + separator: ',' + ignore_missing: true + tag: split_host_groups + - rename: + field: crowdstrike.event.ParentProcessId + target_field: process.parent.pid + ignore_missing: true + tag: rename_parent_process_id + - rename: + field: crowdstrike.event.ParentImageFileName + target_field: process.parent.executable + ignore_missing: true + tag: rename_parent_image_file_name + if: ctx.process?.parent?.executable == null + - rename: + field: crowdstrike.event.PatternDispositionDescription + target_field: event.action + ignore_missing: true + tag: rename_pattern_disposition_description + - rename: + field: crowdstrike.event.FalconHostLink + target_field: event.reference + ignore_missing: true + tag: rename_falcon_host_link + - rename: + field: crowdstrike.event.DetectDescription + target_field: message + ignore_missing: true + tag: rename_detect_description + - set: + field: rule.description + copy_from: message + tag: set_rule_description + if: ctx.message != null + - set: + tag: set_process_name_0cc9dd81 + field: process.name + copy_from: crowdstrike.event.FileName + ignore_empty_value: true + - rename: + field: crowdstrike.event.MachineDomain + target_field: host.domain + ignore_missing: true + tag: rename_machine_domain + - rename: + field: crowdstrike.event.ComputerName + target_field: host.name + ignore_missing: true + tag: rename_computer_name + - rename: + field: crowdstrike.event.SHA256String + target_field: file.hash.sha256 + ignore_missing: true + tag: rename_sha256_string + - rename: + field: crowdstrike.event.MD5String + target_field: file.hash.md5 + ignore_missing: true + tag: rename_md5_string + - rename: + field: crowdstrike.event.SHA1String + target_field: file.hash.sha1 + ignore_missing: true + tag: rename_sha1_string + - append: + field: related.hash + value: "{{{file.hash.sha1}}}" + allow_duplicates: false + tag: append_sha1_hash + if: ctx.file?.hash?.sha1 != null && ctx.file?.hash?.sha1 != "" + - append: + field: related.hash + value: "{{{file.hash.sha256}}}" + allow_duplicates: false + tag: append_sha256_hash + if: ctx.file?.hash?.sha256 != null && ctx.file?.hash?.sha256 != "" + - append: + field: related.hash + value: "{{{file.hash.md5}}}" + allow_duplicates: false + tag: append_md5_hash + if: ctx.file?.hash?.md5 != null && ctx.file?.hash?.md5 != "" + - rename: + field: crowdstrike.event.FileName + target_field: file.name + ignore_missing: true + tag: rename_file_name + - rename: + field: crowdstrike.event.FilePath + target_field: file.path + ignore_missing: true + tag: rename_file_path + - rename: + field: crowdstrike.event.DetectName + target_field: rule.name + ignore_missing: true + tag: rename_detect_name + - rename: + field: crowdstrike.event.DetectId + target_field: rule.id + ignore_missing: true + tag: rename_detect_id + - rename: + field: crowdstrike.event.MacAddress + target_field: host.mac + ignore_missing: true + tag: rename_mac_address + if: ctx.crowdstrike?.event?.MacAddress != null + - uppercase: + field: host.mac + ignore_missing: true + tag: uppercase_mac_address + if: ctx.host?.mac != null + +# Threat fields: the default pipeline sets threat.framework from the threat.* fields. + - append: + field: threat.technique.name + value: "{{{crowdstrike.event.Technique}}}" + tag: append_technique_name + if: ctx.crowdstrike?.event?.Technique != null + - append: + field: threat.technique.id + value: "{{{crowdstrike.event.TechniqueId}}}" + tag: append_technique_id + if: ctx.crowdstrike?.event?.TechniqueId != null + - append: + field: threat.tactic.name + value: "{{{crowdstrike.event.Tactic}}}" + tag: append_tactic_name + if: ctx.crowdstrike?.event?.Tactic != null + - append: + field: threat.tactic.id + value: "{{{crowdstrike.event.TacticId}}}" + tag: append_tactic_id + if: ctx.crowdstrike?.event?.TacticId != null + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/epp_detection_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/epp_detection_summary.yml new file mode 100644 index 0000000000..24a04de529 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/epp_detection_summary.yml @@ -0,0 +1,110 @@ +--- +processors: + # Handle case changes. + - rename: + tag: rename_GrandParentCommandLine_GrandparentCommandLine + field: crowdstrike.event.GrandParentCommandLine + target_field: crowdstrike.event.GrandparentCommandLine + ignore_failure: true + - rename: + tag: rename_GrandParentImageFileName_GrandparentImageFileName + field: crowdstrike.event.GrandParentImageFileName + target_field: crowdstrike.event.GrandparentImageFileName + ignore_failure: true + - rename: + tag: rename_GrandParentImageFilePath_GrandparentImageFilePath + field: crowdstrike.event.GrandParentImageFilePath + target_field: crowdstrike.event.GrandparentImageFilePath + ignore_failure: true + # EppDetectionSummaryEvent renames + - rename: + tag: rename_Hostname_ComputerName + field: crowdstrike.event.Hostname + target_field: crowdstrike.event.ComputerName + ignore_failure: true + - rename: + tag: rename_LogonDomain_MachineDomain + field: crowdstrike.event.LogonDomain + target_field: crowdstrike.event.MachineDomain + ignore_failure: true + - rename: + tag: rename_AgentId_SensorId + field: crowdstrike.event.AgentId + target_field: crowdstrike.event.SensorId + ignore_failure: true + - rename: + tag: rename_Name_DetectName + field: crowdstrike.event.Name + target_field: crowdstrike.event.DetectName + ignore_failure: true + + # EppDetectionSummaryEvent converts + - convert: + field: crowdstrike.event.LocalIPv6 + tag: convert_crowdstrike_LocalIPv6_ip + type: ip + if: ctx.crowdstrike?.event?.LocalIPv6 != null && ctx.crowdstrike.event.LocalIPv6 != '' + on_failure: + - remove: + tag: remove_crowdstrike_event_LocalIPv6_b3dc135b + field: crowdstrike.event.LocalIPv6 + ignore_failure: true + - append: + tag: append_error_message_9f65dae0 + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: crowdstrike.event.FilesAccessed + tag: convert_crowdstrike_filesaccessed_timestamp_array + if: ctx.crowdstrike?.event?.FilesAccessed instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.Timestamp + target_field: _ingest._value.Timestamp + formats: + - UNIX + tag: convert_crowdstrike_filesaccessed_timestamp + on_failure: + - remove: + field: _ingest._value.Timestamp + ignore_failure: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: crowdstrike.event.FilesWritten + tag: convert_crowdstrike_fileswritten_timestamp_array + if: ctx.crowdstrike?.event?.FilesWritten instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.Timestamp + target_field: _ingest._value.Timestamp + formats: + - UNIX + tag: convert_crowdstrike_fileswritten_timestamp + on_failure: + - remove: + field: _ingest._value.Timestamp + ignore_failure: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + - pipeline: + name: '{{ IngestPipeline "detection_summary" }}' + tag: pipeline_detection_summary + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml new file mode 100644 index 0000000000..7cb95e3d41 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml @@ -0,0 +1,199 @@ +--- +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - append: + field: event.category + value: network + tag: append_network_category + - append: + field: event.action + value: firewall_match_event + tag: append_firewall_match_event + - append: + field: event.type + value: + - start + - connection + tag: append_start_connection_type + - append: + field: event.type + value: allowed + tag: append_allowed_type + if: ctx.crowdstrike?.event?.RuleAction != null && ctx.crowdstrike?.event?.RuleAction == "1" + - set: + field: _tmp_.action + value: "Allowed" + tag: set_allowed_action + if: ctx.crowdstrike?.event?.RuleAction != null && ctx.crowdstrike?.event?.RuleAction == "1" + - append: + field: event.type + value: denied + tag: append_denied_type + if: ctx.crowdstrike?.event?.RuleAction != null && ctx.crowdstrike?.event?.RuleAction == "2" + - set: + field: _tmp_.action + value: "Blocked" + tag: set_blocked_action + if: ctx.crowdstrike?.event?.RuleAction != null && ctx.crowdstrike?.event?.RuleAction == "2" + - set: + field: _tmp_.action + value: "Unknown" + tag: set_unknown_action + if: ctx._tmp_?.action == null + - set: + field: message + value: "Firewall Rule: '{{{crowdstrike.event.RuleName}}}' triggered - Action: '{{{_tmp_.action}}}'" + tag: set_message + if: ctx.crowdstrike?.event?.RuleName != null + - rename: + field: crowdstrike.event.Ipv + target_field: network.type + ignore_missing: true + tag: rename_ipv + - convert: + field: crowdstrike.event.PID + target_field: process.pid + type: long + ignore_missing: true + tag: convert_pid + - set: + value: '{{{crowdstrike.event.ImageFileName}}}' + field: process.executable + ignore_empty_value: true + tag: set_process_executable_to_image_file_name + - remove: + field: crowdstrike.event.ImageFileName + ignore_missing: true + tag: remove_image_file_name + - rename: + field: crowdstrike.event.RuleId + target_field: rule.id + ignore_missing: true + tag: rename_rule_id + - rename: + field: crowdstrike.event.RuleName + target_field: rule.name + ignore_missing: true + tag: rename_rule_name + - rename: + field: crowdstrike.event.RuleGroupName + target_field: rule.ruleset + ignore_missing: true + tag: rename_rule_group_name + - rename: + field: crowdstrike.event.RuleDescription + target_field: rule.description + ignore_missing: true + tag: rename_rule_description + - rename: + field: crowdstrike.event.RuleFamilyID + target_field: rule.category + ignore_missing: true + tag: rename_rule_family_id + - rename: + field: crowdstrike.event.HostName + target_field: host.name + ignore_missing: true + tag: rename_host_name + - rename: + field: crowdstrike.event.EventType + target_field: event.code + ignore_missing: true + tag: rename_event_type + - script: + tag: script-set-network-direction + description: Set network.direction + lang: painless + if: ctx.crowdstrike?.event?.ConnectionDirection != null + source: | + def result = []; + if (ctx.crowdstrike.event.ConnectionDirection == "0") { + result.add('egress'); + } else if (ctx.crowdstrike.event.ConnectionDirection == "1") { + result.add('ingress'); + } else if (ctx.crowdstrike.event.ConnectionDirection == "3") { + result.add('egress'); + result.add('ingress'); + } else if (ctx.crowdstrike.event.ConnectionDirection == "4") { + result.add('unknown'); + } + if (result.size() > 0) { + ctx.network = ctx.network ?: [:]; + } + if (result.size() == 1) { + ctx.network.direction = result[0]; + } else if (result.size() > 1) { + ctx.network.direction = result; + } + - rename: + field: crowdstrike.event.RemoteAddress + target_field: source.ip + ignore_missing: true + tag: rename_remote_address_to_source_ip + if: ctx.crowdstrike?.event?.RemoteAddress != null && ctx.network?.direction == "ingress" + - rename: + field: crowdstrike.event.LocalAddress + target_field: destination.ip + ignore_missing: true + tag: rename_local_address_to_destination_ip + if: ctx.crowdstrike?.event?.LocalAddress != null && ctx.network?.direction == "ingress" + - convert: + field: crowdstrike.event.LocalPort + target_field: destination.port + type: long + ignore_missing: true + tag: convert_local_port_to_destination_port + if: ctx.crowdstrike?.event?.LocalPort != null && ctx.network?.direction == "ingress" + - convert: + field: crowdstrike.event.RemotePort + target_field: source.port + type: long + ignore_missing: true + tag: convert_remote_port_to_source_port + if: ctx.crowdstrike?.event?.RemotePort != null && ctx.network?.direction == "ingress" + - rename: + field: crowdstrike.event.RemoteAddress + target_field: destination.ip + ignore_missing: true + tag: rename_remote_address_to_destination_ip + if: ctx.crowdstrike?.event?.RemoteAddress != null && ctx.network?.direction == "egress" + - rename: + field: crowdstrike.event.LocalAddress + target_field: source.ip + ignore_missing: true + tag: rename_local_address_to_source_ip + if: ctx.crowdstrike?.event?.LocalAddress != null && ctx.network?.direction == "egress" + - convert: + field: crowdstrike.event.LocalPort + target_field: source.port + type: long + ignore_missing: true + tag: convert_local_port_to_source_port + if: ctx.crowdstrike?.event?.LocalPort != null && ctx.network?.direction == "egress" + - convert: + field: crowdstrike.event.RemotePort + target_field: destination.port + type: long + ignore_missing: true + tag: convert_remote_port_to_destination_port + if: ctx.crowdstrike?.event?.RemotePort != null && ctx.network?.direction == "egress" + - rename: + field: crowdstrike.event.Platform + target_field: host.os.platform + ignore_missing: true + tag: rename_Platform +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml new file mode 100644 index 0000000000..92d680834c --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/identity_protection_incident.yml @@ -0,0 +1,131 @@ +--- +processors: + - set: + field: event.kind + value: event + tag: set_event_kind + - append: + field: event.category + value: iam + tag: append_iam_category + - append: + field: event.type + value: info + tag: append_info_type + - rename: + field: crowdstrike.event.IncidentType + target_field: event.action + ignore_missing: true + tag: rename_incident_type + - rename: + field: crowdstrike.event.IncidentDescription + target_field: message + ignore_missing: true + tag: rename_incident_description + - rename: + field: crowdstrike.event.IdentityProtectionIncidentId + target_field: event.id + ignore_missing: true + tag: rename_identity_protection_incident_id + - rename: + field: crowdstrike.event.FalconHostLink + target_field: event.reference + ignore_missing: true + tag: rename_falcon_host_link + - rename: + field: crowdstrike.event.UserName + target_field: user.name + ignore_missing: true + tag: rename_user_name + - dissect: + if: ctx.user?.name != null && ctx.user.name.contains('\\') + tag: dissect_user_name + field: user.name + pattern: '%{user.domain}\%{user.name}' + - rename: + field: crowdstrike.event.EndpointName + target_field: host.hostname + ignore_missing: true + tag: rename_endpoint_name + - append: + field: host.ip + value: '{{{crowdstrike.event.EndpointIp}}}' + if: ctx.crowdstrike?.event?.EndpointIp != null && ctx.crowdstrike.event.EndpointIp != '' + tag: append_host_ip + - remove: + field: crowdstrike.event.EndpointIp + if: ctx.crowdstrike?.event?.EndpointIp != null + tag: remove_host_ip + - convert: + field: crowdstrike.event.StartTime + type: string + tag: convert_start_time_epoch + ignore_missing: true + if: ctx.crowdstrike?.event?.StartTime != null + - gsub: + field: crowdstrike.event.StartTime + pattern: "\\d{6}$" + replacement: "" + tag: gsub_start_time_epoch + if: "ctx.crowdstrike?.event?.StartTime != null && ctx.crowdstrike.event.StartTime.length() > 18" + - date: + field: crowdstrike.event.StartTime + target_field: event.start + timezone: UTC + formats: + - UNIX_MS + tag: date_event_start_time_epoch_ms + if: "ctx.crowdstrike?.event?.StartTime != null && ctx.crowdstrike.event.StartTime.length() >= 12" + - date: + field: crowdstrike.event.StartTime + target_field: event.start + timezone: UTC + formats: + - UNIX + tag: date_event_start_time_epoch + if: 'ctx.crowdstrike?.event?.StartTime != null && ctx.crowdstrike.event.StartTime.length() <= 11' + - convert: + field: crowdstrike.event.EndTime + type: string + tag: convert_end_time_epoch + ignore_missing: true + if: ctx.crowdstrike?.event?.EndTime != null + - gsub: + field: crowdstrike.event.EndTime + pattern: "\\d{6}$" + replacement: "" + tag: gsub_end_time_epoch + if: "ctx.crowdstrike?.event?.EndTime != null && ctx.crowdstrike.event.EndTime.length() > 18" + - date: + field: crowdstrike.event.EndTime + target_field: event.end + timezone: UTC + formats: + - UNIX_MS + tag: date_event_end_time_epoch_ms + if: "ctx.crowdstrike?.event?.EndTime != null && ctx.crowdstrike.event.EndTime.length() >= 12" + - date: + field: crowdstrike.event.EndTime + target_field: event.end + timezone: UTC + formats: + - UNIX + tag: date_event_end_time_epoch + if: 'ctx.crowdstrike?.event?.EndTime != null && ctx.crowdstrike.event.EndTime.length() <= 11' + - set: + field: '@timestamp' + copy_from: event.start + tag: copy_timestamp_from_event_start + if: ctx.event?.start != null +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml new file mode 100644 index 0000000000..3355f574f9 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/incident_summary.yml @@ -0,0 +1,96 @@ +--- +processors: + - set: + tag: set_event_kind_39295792 + field: event.kind + value: alert + - append: + field: event.category + value: malware + tag: append_malware_category + - append: + field: event.type + value: info + tag: append_info_type + - append: + field: event.action + value: incident + tag: append_incident_action + - grok: + tag: grok_crowdstrike_event_UserId_70ae09b7 + field: crowdstrike.event.UserId + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' + ignore_missing: true + ignore_failure: true + - set: + field: user.email + copy_from: crowdstrike.event.UserId + tag: copy_user_email + if: ctx.crowdstrike?.event?.UserId != null && ctx.crowdstrike.event.UserId.indexOf("@") > 0 + - date: + field: crowdstrike.event.IncidentStartTime + target_field: event.start + timezone: UTC + formats: + - UNIX_MS + tag: date_incident_start_time_ms + if: 'ctx.crowdstrike?.event?.IncidentStartTime != null && String.valueOf(ctx.crowdstrike.event.IncidentStartTime).length() >= 12' + - date: + field: crowdstrike.event.IncidentStartTime + target_field: event.start + timezone: UTC + formats: + - UNIX + tag: date_incident_start_time + if: 'ctx.crowdstrike?.event?.IncidentStartTime != null && String.valueOf(ctx.crowdstrike.event.IncidentStartTime).length() <= 11' + - date: + field: crowdstrike.event.IncidentEndTime + target_field: event.end + timezone: UTC + formats: + - UNIX_MS + tag: date_incident_end_time_ms + if: 'ctx.crowdstrike?.event?.IncidentEndTime != null && String.valueOf(ctx.crowdstrike.event.IncidentEndTime).length() >= 12' + - date: + field: crowdstrike.event.IncidentEndTime + target_field: event.end + timezone: UTC + formats: + - UNIX + tag: date_incident_end_time + if: 'ctx.crowdstrike?.event?.IncidentEndTime != null && String.valueOf(ctx.crowdstrike.event.IncidentEndTime).length() <= 11' + - rename: + field: crowdstrike.event.FalconHostLink + target_field: event.reference + ignore_missing: true + tag: rename_falcon_host_link + - rename: + field: crowdstrike.event.HostID + target_field: host.id + ignore_missing: true + tag: rename_host_id + - rename: + field: crowdstrike.event.IncidentID + target_field: event.id + ignore_missing: true + tag: rename_incident_id + - set: + field: message + value: "Incident score {{{crowdstrike.event.FineScore}}}" + tag: set_message + if: ctx.crowdstrike?.event?.FineScore != null + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml new file mode 100644 index 0000000000..6f19607e78 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/ipd_detection_summary.yml @@ -0,0 +1,286 @@ +--- +processors: + - set: + tag: set_event_kind_39295792 + field: event.kind + value: alert + - append: + field: event.category + value: malware + tag: append_malware_category + - append: + field: event.type + value: info + tag: append_info_type + - set: + tag: set_event_action_9543b2bf + field: event.action + value: ipd-detection + - set: + tag: set_event_outcome_60052845 + field: event.outcome + value: success + if: ctx.crowdstrike?.event?.AttemptOutcome == true + - set: + tag: set_event_outcome_dd25ba45 + field: event.outcome + value: failure + if: ctx.crowdstrike?.event?.AttemptOutcome == false + - rename: + field: crowdstrike.event.DetectDescription + target_field: message + ignore_missing: true + tag: rename_detect_description + - rename: + field: crowdstrike.event.LocationCountryCode + target_field: host.geo.country_iso_code + ignore_missing: true + tag: rename_location_country_code + - convert: + field: crowdstrike.event.PatternId + target_field: rule.uuid + type: string + tag: convert_pattern_id + ignore_missing: true + - rename: + field: crowdstrike.event.SourceAccountDomain + target_field: user.domain + ignore_missing: true + tag: rename_source_account_domain + - rename: + field: crowdstrike.event.SourceAccountName + target_field: user.name + ignore_missing: true + tag: rename_source_account_name + - rename: + field: crowdstrike.event.SourceAccountObjectSid + target_field: user.id + ignore_missing: true + tag: rename_source_account_object_sid + - rename: + field: crowdstrike.event.SourceEndpointHostName + target_field: host.name + ignore_missing: true + tag: rename_source_endpoint_hostname + - append: + field: host.ip + value: '{{{crowdstrike.event.SourceEndpointIpAddress}}}' + if: ctx.crowdstrike?.event?.SourceEndpointIpAddress != null && ctx.crowdstrike.event.SourceEndpointIpAddress != '' + tag: append_host_ip + - remove: + field: crowdstrike.event.SourceEndpointIpAddress + if: ctx.crowdstrike?.event?.SourceEndpointIpAddress != null + tag: remove_host_ip + - append: + field: threat.technique.name + value: "{{{crowdstrike.event.Technique}}}" + tag: append_technique_name + if: ctx.crowdstrike?.event?.Technique != null + - append: + field: threat.technique.id + value: "{{{crowdstrike.event.TechniqueId}}}" + tag: append_technique_id + if: ctx.crowdstrike?.event?.TechniqueId != null + - append: + field: threat.tactic.name + value: "{{{crowdstrike.event.Tactic}}}" + tag: append_tactic_name + if: ctx.crowdstrike?.event?.Tactic != null + - append: + field: threat.tactic.id + value: "{{{crowdstrike.event.TacticId}}}" + tag: append_tactic_id + if: ctx.crowdstrike?.event?.TacticId != null + - set: + field: rule.description + copy_from: message + tag: set_rule_description + if: ctx.message != null + - rename: + field: crowdstrike.event.DetectName + target_field: rule.name + ignore_missing: true + tag: rename_detect_name + - rename: + field: crowdstrike.event.DetectId + target_field: rule.id + ignore_missing: true + tag: rename_detect_id + - rename: + field: crowdstrike.event.FalconHostLink + target_field: event.reference + ignore_missing: true + tag: rename_falcon_host_link + - remove: + tag: remove_9545c61d + field: + - event.created + ignore_missing: true + if: ctx.crowdstrike?.event?.ContextTimeStamp != null + - convert: + field: crowdstrike.event.ContextTimeStamp + type: string + tag: convert_context_timestamp + ignore_missing: true + if: ctx.crowdstrike?.event?.ContextTimeStamp != null + - gsub: + field: crowdstrike.event.ContextTimeStamp + pattern: "\\d{6}$" + replacement: "" + tag: gsub_context_timestamp + if: "ctx.crowdstrike?.event?.ContextTimeStamp != null && ctx.crowdstrike.event.ContextTimeStamp.length() > 18" + - date: + field: crowdstrike.event.ContextTimeStamp + target_field: event.created + timezone: UTC + formats: + - UNIX_MS + tag: date_context_timestamp_ms + if: "ctx.crowdstrike?.event?.ContextTimeStamp != null && ctx.crowdstrike.event.ContextTimeStamp.length() >= 12" + - date: + field: crowdstrike.event.ContextTimeStamp + target_field: event.created + timezone: UTC + formats: + - UNIX + tag: date_context_timestamp + if: 'ctx.crowdstrike?.event?.ContextTimeStamp != null && ctx.crowdstrike.event.ContextTimeStamp.length() <= 11' + - convert: + field: crowdstrike.event.AccountCreationTimeStamp + type: string + tag: convert_account_creation_timestamp + ignore_missing: true + if: ctx.crowdstrike?.event?.AccountCreationTimeStamp != null + - gsub: + field: crowdstrike.event.AccountCreationTimeStamp + pattern: "\\d{6}$" + replacement: "" + tag: gsub_account_creation_timestamp + if: "ctx.crowdstrike?.event?.AccountCreationTimeStamp != null && ctx.crowdstrike.event.AccountCreationTimeStamp.length() > 18" + - date: + field: crowdstrike.event.AccountCreationTimeStamp + target_field: crowdstrike.event.AccountCreationTimeStamp + timezone: UTC + formats: + - UNIX_MS + tag: date_account_creation_timestamp_ms + if: "ctx.crowdstrike?.event?.AccountCreationTimeStamp != null && ctx.crowdstrike.event.AccountCreationTimeStamp.length() >= 12" + - date: + field: crowdstrike.event.AccountCreationTimeStamp + target_field: crowdstrike.event.AccountCreationTimeStamp + timezone: UTC + formats: + - UNIX + tag: date_account_creation_timestamp + if: 'ctx.crowdstrike?.event?.AccountCreationTimeStamp != null && ctx.crowdstrike.event.AccountCreationTimeStamp.length() <= 11' + - convert: + field: crowdstrike.event.StartTime + type: string + tag: convert_start_time_epoch + ignore_missing: true + if: ctx.crowdstrike?.event?.StartTime != null + - gsub: + field: crowdstrike.event.StartTime + pattern: "\\d{6}$" + replacement: "" + tag: gsub_start_time_epoch + if: "ctx.crowdstrike?.event?.StartTime != null && ctx.crowdstrike.event.StartTime.length() > 18" + - date: + field: crowdstrike.event.StartTime + target_field: event.start + timezone: UTC + formats: + - UNIX_MS + tag: date_event_start_time_epoch_ms + if: "ctx.crowdstrike?.event?.StartTime != null && ctx.crowdstrike.event.StartTime.length() >= 12" + - date: + field: crowdstrike.event.StartTime + target_field: event.start + timezone: UTC + formats: + - UNIX + tag: date_event_start_time_epoch + if: 'ctx.crowdstrike?.event?.StartTime != null && ctx.crowdstrike.event.StartTime.length() <= 11' + - convert: + field: crowdstrike.event.EndTime + type: string + tag: convert_end_time_epoch + ignore_missing: true + if: ctx.crowdstrike?.event?.EndTime != null + - gsub: + field: crowdstrike.event.EndTime + pattern: "\\d{6}$" + replacement: "" + tag: gsub_end_time_epoch + if: "ctx.crowdstrike?.event?.EndTime != null && ctx.crowdstrike.event.EndTime.length() > 18" + - date: + field: crowdstrike.event.EndTime + target_field: event.end + timezone: UTC + formats: + - UNIX_MS + tag: date_event_end_time_epoch_ms + if: "ctx.crowdstrike?.event?.EndTime != null && ctx.crowdstrike.event.EndTime.length() >= 12" + - date: + field: crowdstrike.event.EndTime + target_field: event.end + timezone: UTC + formats: + - UNIX + tag: date_event_end_time_epoch + if: 'ctx.crowdstrike?.event?.EndTime != null && ctx.crowdstrike.event.EndTime.length() <= 11' + - append: + field: related.hosts + value: "{{{crowdstrike.event.TargetEndpointHostName}}}" + allow_duplicates: false + tag: append_target_endpoint_hostname + if: ctx.crowdstrike?.event?.TargetEndpointHostName != null + - append: + field: related.hosts + value: "{{{crowdstrike.event.TargetDomain}}}" + allow_duplicates: false + tag: append_target_domain + if: ctx.crowdstrike?.event?.TargetDomain != null + - append: + field: related.user + value: "{{{crowdstrike.event.TargetAccountName}}}" + allow_duplicates: false + tag: append_target_account_name + if: ctx.crowdstrike?.event?.TargetAccountName != null + - append: + field: related.hosts + value: "{{{crowdstrike.event.AdditionalAccountDomain}}}" + allow_duplicates: false + tag: append_additional_account_domain + if: ctx.crowdstrike?.event?.AdditionalAccountDomain != null + - append: + field: related.hosts + value: "{{{crowdstrike.event.AdditionalAccountName}}}" + allow_duplicates: false + tag: append_additional_account_name + if: ctx.crowdstrike?.event?.AdditionalAccountName != null + - append: + field: related.hosts + value: "{{{crowdstrike.event.AdditionalEndpointHostName}}}" + allow_duplicates: false + tag: append_additional_endpoint_hostname + if: ctx.crowdstrike?.event?.AdditionalEndpointHostName != null + - append: + field: related.ip + value: "{{{crowdstrike.event.AdditionalEndpointIpAddress}}}" + allow_duplicates: false + tag: append_additional_endpoint_ip + if: ctx.crowdstrike?.event?.AdditionalEndpointIpAddress != null + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml new file mode 100644 index 0000000000..9740e47c9e --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/mobile_detection_summary.yml @@ -0,0 +1,123 @@ +--- +processors: + - set: + field: event.kind + value: alert + tag: set_event_kind + - append: + field: event.category + value: malware + tag: append_malware_category + - append: + field: event.type + value: info + tag: append_info_type + - set: + tag: set_event_action_2bf36a54 + field: event.action + value: mobile-detection + - remove: + field: event.created + if: ctx.crowdstrike?.event?.ContextTimeStamp != null + tag: remove_event_created + ignore_missing: true + - date: + field: crowdstrike.event.ContextTimeStamp + target_field: event.created + timezone: UTC + formats: + - UNIX + tag: date_event_creation_time + if: 'ctx.crowdstrike?.event?.ContextTimeStamp != null && String.valueOf(ctx.crowdstrike.event.ContextTimeStamp).length() <= 11' + - date: + field: crowdstrike.event.ContextTimeStamp + target_field: event.created + timezone: UTC + formats: + - UNIX_MS + tag: date_event_creation_time_ms + if: 'ctx.crowdstrike?.event?.ContextTimeStamp != null && String.valueOf(ctx.crowdstrike.event.ContextTimeStamp).length() >= 12' + - rename: + field: crowdstrike.event.MobileDetectionId + target_field: event.id + ignore_missing: true + tag: rename_mobile_detect_id + - convert: + field: event.id + type: string + ignore_missing: true + tag: convert_event_id_to_string + - rename: + field: crowdstrike.event.DetectId + target_field: rule.id + ignore_missing: true + tag: rename_detect_id + - rename: + field: crowdstrike.event.DetectName + target_field: rule.name + ignore_missing: true + tag: rename_detect_name + - rename: + field: crowdstrike.event.DetectDescription + target_field: rule.description + ignore_missing: true + tag: rename_detect_description +# Threat fields: the default pipeline sets threat.framework from the threat.* fields. + - append: + field: threat.technique.name + value: "{{{crowdstrike.event.Technique}}}" + tag: append_technique_name + if: ctx.crowdstrike?.event?.Technique != null + - append: + field: threat.technique.id + value: "{{{crowdstrike.event.TechniqueId}}}" + tag: append_technique_id + if: ctx.crowdstrike?.event?.TechniqueId != null + - append: + field: threat.tactic.name + value: "{{{crowdstrike.event.Tactic}}}" + tag: append_tactic_name + if: ctx.crowdstrike?.event?.Tactic != null + - append: + field: threat.tactic.id + value: "{{{crowdstrike.event.TacticId}}}" + tag: append_tactic_id + if: ctx.crowdstrike?.event?.TacticId != null + - rename: + field: crowdstrike.event.ComputerName + target_field: host.name + ignore_missing: true + tag: rename_computer_name + - rename: + field: crowdstrike.event.UserName + target_field: user.name + ignore_missing: true + tag: rename_user_name + - rename: + field: crowdstrike.event.FalconHostLink + target_field: event.reference + ignore_missing: true + tag: rename_falcon_host_link + - rename: + field: crowdstrike.event.SensorId + target_field: device.id + ignore_missing: true + tag: rename_sensor_id + - rename: + field: crowdstrike.event.ProcessId + target_field: process.pid + ignore_missing: true + tag: rename_process_id + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/recon_notification_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/recon_notification_summary.yml new file mode 100644 index 0000000000..a36073c600 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/recon_notification_summary.yml @@ -0,0 +1,94 @@ +--- +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - append: + field: event.category + value: threat + tag: append_threat_category + - append: + field: event.type + value: indicator + tag: append_indicator_type + - set: + tag: set_event_action_8e0d2082 + field: event.action + value: recon-notification + if: ctx.crowdstrike?.event?.ItemType == null + - set: + tag: set_event_action_d066e9f9 + field: event.action + value: "recon-notification-{{{crowdstrike.event.ItemType}}}" + if: ctx.crowdstrike?.event?.ItemType != null + - rename: + field: crowdstrike.event.ItemId + target_field: event.id + ignore_missing: true + tag: rename_item_id + - rename: + field: crowdstrike.event.RuleId + target_field: rule.id + ignore_missing: true + tag: rename_rule_id + - rename: + field: crowdstrike.event.RuleName + target_field: rule.name + ignore_missing: true + tag: rename_rule_name + - set: + field: rule.ruleset + copy_from: crowdstrike.event.RuleTopic + ignore_empty_value: true + tag: set_rule_ruleset + - rename: + field: crowdstrike.event.RuleTopic + target_field: rule.description + ignore_missing: true + tag: rename_rule_topic + - date: + field: crowdstrike.event.MatchedTimestamp + target_field: event.created + timezone: UTC + formats: + - UNIX_MS + tag: date_event_matched_timestamp_ms + if: "ctx.crowdstrike?.event?.MatchedTimestamp != null && String.valueOf(ctx.crowdstrike.event.MatchedTimestamp).length() >= 12" + - date: + field: crowdstrike.event.MatchedTimestamp + target_field: event.created + timezone: UTC + formats: + - UNIX + tag: date_event_matched_timestamp + if: 'ctx.crowdstrike?.event?.MatchedTimestamp != null && String.valueOf(ctx.crowdstrike.event.MatchedTimestamp).length() <= 11' + - date: + field: crowdstrike.event.ItemPostedTimestamp + target_field: event.created + timezone: UTC + formats: + - UNIX_MS + tag: date_item_posted_timestamp_ms + if: "ctx.crowdstrike?.event?.ItemPostedTimestamp != null && String.valueOf(ctx.crowdstrike.event.ItemPostedTimestamp).length() >= 12" + - date: + field: crowdstrike.event.ItemPostedTimestamp + target_field: event.created + timezone: UTC + formats: + - UNIX + tag: date_item_posted_timestamp + if: 'ctx.crowdstrike?.event?.ItemPostedTimestamp != null && String.valueOf(ctx.crowdstrike.event.ItemPostedTimestamp).length() <= 11' + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml new file mode 100644 index 0000000000..4c0a4df96a --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_end.yml @@ -0,0 +1,71 @@ +--- +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - append: + field: event.category + value: + - network + - session + tag: append_network_category + - append: + field: event.action + value: remote_response_session_end_event + tag: append_remote_action + - append: + field: event.type + value: end + tag: append_end_type + - grok: + tag: grok_crowdstrike_event_UserName_6c9dafb5 + field: crowdstrike.event.UserName + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' + ignore_missing: true + ignore_failure: true + - set: + field: user.email + copy_from: crowdstrike.event.UserName + tag: copy_user_email + if: ctx.crowdstrike?.event?.UserName != null && ctx.crowdstrike.event.UserName.indexOf("@") > 0 + - date: + field: crowdstrike.event.EndTimestamp + target_field: event.end + timezone: UTC + formats: + - UNIX_MS + tag: date_end_timestamp_ms + if: 'ctx.crowdstrike?.event?.EndTimestamp != null && String.valueOf(ctx.crowdstrike.event.EndTimestamp).length() >= 12' + - date: + field: crowdstrike.event.EndTimestamp + target_field: event.end + timezone: UTC + formats: + - UNIX + tag: date_end_timestamp + if: 'ctx.crowdstrike?.event?.EndTimestamp != null && String.valueOf(ctx.crowdstrike.event.EndTimestamp).length() <= 11' + - set: + field: message + value: Remote response session ended. + tag: set_message + - rename: + field: crowdstrike.event.HostnameField + target_field: host.name + ignore_missing: true + tag: rename_hostname_field + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml new file mode 100644 index 0000000000..b591a61638 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/remote_response_session_start.yml @@ -0,0 +1,71 @@ +--- +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - append: + field: event.category + value: + - network + - session + tag: append_network_category + - append: + field: event.action + value: remote_response_session_start_event + tag: append_remote_action + - append: + field: event.type + value: start + tag: append_start_type + - grok: + tag: grok_crowdstrike_event_UserName_6c9dafb5 + field: crowdstrike.event.UserName + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' + ignore_missing: true + ignore_failure: true + - set: + field: user.email + copy_from: crowdstrike.event.UserName + tag: copy_user_email + if: ctx.crowdstrike?.event?.UserName != null && ctx.crowdstrike.event.UserName.indexOf("@") > 0 + - date: + field: crowdstrike.event.StartTimestamp + target_field: event.start + timezone: UTC + formats: + - UNIX_MS + tag: date_start_timestamp_ms + if: 'ctx.crowdstrike?.event?.StartTimestamp != null && String.valueOf(ctx.crowdstrike.event.StartTimestamp).length() >= 12' + - date: + field: crowdstrike.event.StartTimestamp + target_field: event.start + timezone: UTC + formats: + - UNIX + tag: date_start_timestamp + if: 'ctx.crowdstrike?.event?.StartTimestamp != null && String.valueOf(ctx.crowdstrike.event.StartTimestamp).length() <= 11' + - set: + field: message + value: Remote response session started. + tag: set_message + - rename: + field: crowdstrike.event.HostnameField + target_field: host.name + ignore_missing: true + tag: rename_hostname_field + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml new file mode 100644 index 0000000000..ac3756a62a --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/scheduled_report_notification_event.yml @@ -0,0 +1,70 @@ +--- +description: Pipeline for processing Scheduled Report Notification Event. +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - date: + field: crowdstrike.event.ExecutionMetadata.ExecutionStart + timezone: UTC + formats: + - UNIX_MS + tag: date_execution_start_ms + if: 'ctx.crowdstrike?.event?.ExecutionMetadata?.ExecutionStart != null && String.valueOf(ctx.crowdstrike.event.ExecutionMetadata.ExecutionStart).length() >= 12' + - date: + field: crowdstrike.event.ExecutionMetadata.SearchWindowStart + timezone: UTC + formats: + - UNIX_MS + tag: date_search_window_start_ms + if: 'ctx.crowdstrike?.event?.ExecutionMetadata?.SearchWindowStart != null && String.valueOf(ctx.crowdstrike.event.ExecutionMetadata.SearchWindowStart).length() >= 12' + - date: + field: crowdstrike.event.ExecutionMetadata.SearchWindowEnd + timezone: UTC + formats: + - UNIX_MS + tag: date_search_window_end_ms + if: 'ctx.crowdstrike?.event?.ExecutionMetadata?.SearchWindowEnd != null && String.valueOf(ctx.crowdstrike.event.ExecutionMetadata.SearchWindowEnd).length() >= 12' + - convert: + field: crowdstrike.event.ExecutionMetadata.ExecutionDuration + type: long + tag: convert_ExecutionDuration + ignore_missing: true + - convert: + field: crowdstrike.event.ExecutionMetadata.ResultCount + type: long + tag: convert_ResultCount + ignore_missing: true + - rename: + field: crowdstrike.event.UserID + target_field: user.id + ignore_missing: true + tag: rename_userID + - dissect: + if: ctx.user?.id != null && ctx.user.id.contains('@') + tag: dissect_user_id + field: user.id + pattern: '%{user.name}@%{user.domain}' + - set: + field: user.email + copy_from: user.id + tag: copy_user_email + if: ctx.user?.id != null && ctx.user.id.indexOf("@") > 0 + - convert: + field: crowdstrike.event.Status + type: string + tag: convert_Status + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml new file mode 100644 index 0000000000..ff113aa1ea --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/user_activity_audit.yml @@ -0,0 +1,55 @@ +--- +processors: + - set: + tag: set_event_kind_de80643c + field: event.kind + value: event + - append: + field: event.category + value: iam + tag: append_iam_category + - append: + field: event.type + value: change + tag: append_change_type + - set: + field: event.action + value: user_activity_audit_event + tag: set_user_activity_audit_event + - grok: + tag: grok_crowdstrike_event_UserId_70ae09b7 + field: crowdstrike.event.UserId + patterns: + - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' + ignore_missing: true + ignore_failure: true + - set: + field: user.email + copy_from: crowdstrike.event.UserId + tag: copy_user_email + if: ctx.crowdstrike?.event?.UserId != null && ctx.crowdstrike.event.UserId.indexOf("@") > 0 + - rename: + field: crowdstrike.event.OperationName + target_field: message + ignore_missing: true + tag: rename_operation_name + - rename: + field: crowdstrike.event.UserIp + target_field: source.ip + ignore_missing: true + tag: rename_user_ip + if: ctx.crowdstrike?.event?.UserIp != null && ctx.crowdstrike?.event?.UserIp != "" + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/xdr_detection_summary.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/xdr_detection_summary.yml new file mode 100644 index 0000000000..4475e1377b --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/xdr_detection_summary.yml @@ -0,0 +1,243 @@ +--- +processors: + - set: + field: event.kind + value: alert + tag: set_event_kind + - append: + field: event.category + value: malware + tag: append_malware_category + - append: + field: event.type + value: info + tag: append_info_type + - set: + tag: set_event_action_2bbdf18c + field: event.action + value: xdr-detection + - append: + field: rule.author + value: "{{{crowdstrike.event.Author}}}" + tag: append_author + if: ctx.crowdstrike?.event?.Author != null + - rename: + tag: rename_crowdstrike_event_Name_to_rule_name_fcf360bf + field: crowdstrike.event.Name + target_field: rule.name + ignore_missing: true + - rename: + field: crowdstrike.event.DetectId + target_field: rule.id + ignore_missing: true + tag: rename_detect_id + - convert: + field: crowdstrike.event.PatternId + target_field: rule.uuid + type: string + tag: convert_pattern_id + ignore_missing: true + - rename: + field: crowdstrike.event.Description + target_field: message + ignore_missing: true + tag: rename_description + - split: + field: crowdstrike.event.DataDomains + separator: "," + tag: split_data_domains + if: ctx.crowdstrike?.event?.DataDomains != null && ctx.crowdstrike?.event?.DataDomains.contains(",") + - split: + field: crowdstrike.event.EmailAddresses + separator: "," + tag: split_email_addresses + if: ctx.crowdstrike?.event?.EmailAddresses != null && ctx.crowdstrike?.event?.EmailAddresses.contains(",") + - split: + field: crowdstrike.event.IPV4Addresses + separator: "," + target_field: related.ip + tag: split_ipv4_addresses + if: ctx.crowdstrike?.event?.IPV4Addresses != null && ctx.crowdstrike?.event?.IPV4Addresses.contains(",") + - append: + field: related.ip + value: "{{{crowdstrike.event.IPV4Addresses}}}" + allow_duplicates: false + tag: append_ipv4_addresses + if: ctx.crowdstrike?.event?.IPV4Addresses != null && !ctx.crowdstrike?.event?.IPV4Addresses.contains(",") + - split: + field: crowdstrike.event.IPV6Addresses + separator: "," + target_field: related.ip + tag: split_ipv6_addresses + if: ctx.crowdstrike?.event?.IPV6Addresses != null && ctx.crowdstrike?.event?.IPV6Addresses.contains(",") + - append: + field: related.ip + value: "{{{crowdstrike.event.IPV6Addresses}}}" + allow_duplicates: false + tag: append_ipv6_addresses + if: ctx.crowdstrike?.event?.IPV6Addresses != null && !ctx.crowdstrike?.event?.IPV6Addresses.contains(",") + - split: + field: crowdstrike.event.HostNames + separator: "," + target_field: related.hosts + tag: split_host_names + if: ctx.crowdstrike?.event?.HostNames != null && ctx.crowdstrike?.event?.HostNames.contains(",") + - append: + field: related.hosts + value: "{{{crowdstrike.event.HostNames}}}" + allow_duplicates: false + tag: append_host_names + if: ctx.crowdstrike?.event?.HostNames != null && !ctx.crowdstrike?.event?.HostNames.contains(",") + - split: + field: crowdstrike.event.DomainNames + separator: "," + target_field: related.hosts + tag: split_domain_names + if: ctx.crowdstrike?.event?.DomainNames != null && ctx.crowdstrike?.event?.DomainNames.contains(",") + - append: + field: related.hosts + value: "{{{crowdstrike.event.DomainNames}}}" + allow_duplicates: false + tag: append_domain_names + if: ctx.crowdstrike?.event?.DomainNames != null && !ctx.crowdstrike?.event?.DomainNames.contains(",") + - split: + field: crowdstrike.event.SHA256Hashes + separator: "," + target_field: related.hash + tag: split_sha256_hashes + if: ctx.crowdstrike?.event?.SHA256Hashes != null && ctx.crowdstrike?.event?.SHA256Hashes.contains(",") + - append: + field: related.hash + value: "{{{crowdstrike.event.SHA256Hashes}}}" + allow_duplicates: false + tag: append_sha256_hashes + if: ctx.crowdstrike?.event?.SHA256Hashes != null && !ctx.crowdstrike?.event?.SHA256Hashes.contains(",") + - split: + field: crowdstrike.event.MD5Hashes + separator: "," + target_field: related.hash + tag: split_md5_hashes + if: ctx.crowdstrike?.event?.MD5Hashes != null && ctx.crowdstrike?.event?.MD5Hashes.contains(",") + - append: + field: related.hash + value: "{{{crowdstrike.event.MD5Hashes}}}" + allow_duplicates: false + tag: append_md5_hashes + if: ctx.crowdstrike?.event?.MD5Hashes != null && !ctx.crowdstrike?.event?.MD5Hashes.contains(",") + - split: + field: crowdstrike.event.Users + separator: "," + target_field: related.user + tag: split_users + if: ctx.crowdstrike?.event?.Users != null && ctx.crowdstrike?.event?.Users.contains(",") + - append: + field: related.user + value: "{{{crowdstrike.event.Users}}}" + allow_duplicates: false + tag: append_users + if: ctx.crowdstrike?.event?.Users != null && !ctx.crowdstrike?.event?.Users.contains(",") + - set: + field: rule.description + copy_from: message + tag: set_rule_description + if: ctx.message != null + - convert: + field: crowdstrike.event.StartTimeEpoch + type: string + tag: convert_start_time_epoch + ignore_missing: true + if: ctx.crowdstrike?.event?.StartTimeEpoch != null + - gsub: + field: crowdstrike.event.StartTimeEpoch + pattern: "\\d{6}$" + replacement: "" + tag: gsub_start_time_epoch + if: "ctx.crowdstrike?.event?.StartTimeEpoch != null && String.valueOf(ctx.crowdstrike.event.StartTimeEpoch).length() > 18" + - date: + field: crowdstrike.event.StartTimeEpoch + target_field: event.start + timezone: UTC + formats: + - UNIX_MS + tag: date_event_start_time_epoch_ms + if: "ctx.crowdstrike?.event?.StartTimeEpoch != null && String.valueOf(ctx.crowdstrike.event.StartTimeEpoch).length() >= 12" + - date: + field: crowdstrike.event.StartTimeEpoch + target_field: event.start + timezone: UTC + formats: + - UNIX + tag: date_event_start_time_epoch + if: 'ctx.crowdstrike?.event?.StartTimeEpoch != null && String.valueOf(ctx.crowdstrike.event.StartTimeEpoch).length() <= 11' + - set: + field: '@timestamp' + copy_from: event.start + tag: copy_timestamp_from_event_start + if: ctx.event?.start != null + - convert: + field: crowdstrike.event.EndTimeEpoch + type: string + tag: convert_end_time_epoch + ignore_missing: true + if: ctx.crowdstrike?.event?.EndTimeEpoch != null + - gsub: + field: crowdstrike.event.EndTimeEpoch + pattern: "\\d{6}$" + replacement: "" + tag: gsub_end_time_epoch + if: "ctx.crowdstrike?.event?.EndTimeEpoch != null && String.valueOf(ctx.crowdstrike.event.EndTimeEpoch).length() > 18" + - date: + field: crowdstrike.event.EndTimeEpoch + target_field: event.end + timezone: UTC + formats: + - UNIX_MS + tag: date_event_end_time_epoch_ms + if: "ctx.crowdstrike?.event?.EndTimeEpoch != null && String.valueOf(ctx.crowdstrike.event.EndTimeEpoch).length() >= 12" + - date: + field: crowdstrike.event.EndTimeEpoch + target_field: event.end + timezone: UTC + formats: + - UNIX + tag: date_event_end_time_epoch + if: "ctx.crowdstrike?.event?.EndTimeEpoch != null && String.valueOf(ctx.crowdstrike.event.EndTimeEpoch).length() <= 11" + +# Threat fields: the default pipeline sets threat.framework from the threat.* fields. + - split: + field: crowdstrike.event.Techniques + separator: "," + target_field: threat.technique.name + tag: split_techniques + if: ctx.crowdstrike?.event?.Techniques != null + - split: + field: crowdstrike.event.TechniqueIds + separator: "," + target_field: threat.technique.id + tag: split_technique_ids + if: ctx.crowdstrike?.event?.TechniqueIds != null + - split: + field: crowdstrike.event.Tactics + separator: "," + target_field: threat.tactic.name + tag: split_tactics + if: ctx.crowdstrike?.event?.Tactics != null + - split: + field: crowdstrike.event.TacticIds + separator: "," + target_field: threat.tactic.id + tag: split_tactic_ids + if: ctx.crowdstrike?.event?.TacticIds != null + +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/agent.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/agent.yml new file mode 100644 index 0000000000..2bc58530ba --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/agent.yml @@ -0,0 +1,33 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/base-fields.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/base-fields.yml new file mode 100644 index 0000000000..8248c071b3 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: crowdstrike +- name: event.dataset + type: constant_keyword + description: Event dataset + value: crowdstrike.falcon +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/beats.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/beats.yml new file mode 100644 index 0000000000..9619025555 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/ecs.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/ecs.yml new file mode 100644 index 0000000000..9c20c2129f --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/ecs.yml @@ -0,0 +1,167 @@ +# Remove this file when kibana.version satisfied ^8.14. +- name: message + external: ecs +- name: ecs.version + external: ecs +- name: event.code + external: ecs +- name: event.kind + external: ecs +- name: event.category + external: ecs +- name: event.type + external: ecs +- name: event.action + external: ecs +- name: event.original + external: ecs +- name: event.ingested + external: ecs +- name: event.created + external: ecs +- name: event.outcome + external: ecs +- name: event.url + external: ecs +- name: event.severity + external: ecs +- name: event.start + external: ecs +- name: event.end + external: ecs +- name: user.id + external: ecs +- name: user.name + external: ecs +- name: user.domain + external: ecs +- name: user.email + external: ecs +- name: threat.technique.name + external: ecs +- name: threat.technique.id + external: ecs +- name: threat.tactic.name + external: ecs +- name: threat.tactic.id + external: ecs +- name: threat.framework + external: ecs +- name: process.pid + external: ecs +- name: process.start + external: ecs +- name: process.end + external: ecs +- name: process.name + external: ecs +- name: process.command_line + external: ecs +- name: process.args + external: ecs +- name: process.executable + external: ecs +- name: process.parent.executable + external: ecs +- name: process.parent.pid + external: ecs +- name: process.parent.command_line + external: ecs +- name: process.parent.args + external: ecs +- name: device.id + external: ecs +- name: agent.name + external: ecs +- name: agent.id + external: ecs +- name: agent.type + external: ecs +- name: agent.version + external: ecs +- name: source.ip + external: ecs +- name: source.port + external: ecs +- name: destination.ip + external: ecs +- name: destination.port + external: ecs +- name: file.hash.sha1 + external: ecs +- name: file.hash.sha256 + external: ecs +- name: file.hash.md5 + external: ecs +- name: file.path + external: ecs +- name: rule.author + external: ecs +- name: rule.id + external: ecs +- name: rule.uuid + external: ecs +- name: rule.name + external: ecs +- name: rule.description + external: ecs +- name: error.message + external: ecs +- name: rule.ruleset + external: ecs +- name: rule.category + external: ecs +- name: network.direction + external: ecs +- name: network.type + external: ecs +- name: related.ip + external: ecs +- name: related.user + external: ecs +- name: related.hosts + external: ecs +- name: related.hash + external: ecs +- name: tags + external: ecs +- name: observer.vendor + external: ecs +- name: observer.product + external: ecs +- name: source.as.number + external: ecs +- name: source.as.organization.name + external: ecs +- name: source.geo.city_name + external: ecs +- name: source.geo.continent_name + external: ecs +- name: source.geo.country_iso_code + external: ecs +- name: source.geo.country_name + external: ecs +- name: source.geo.location + external: ecs +- name: source.geo.region_iso_code + external: ecs +- name: source.geo.region_name + external: ecs +- name: destination.as.number + external: ecs +- name: destination.as.organization.name + external: ecs +- name: destination.geo.city_name + external: ecs +- name: destination.geo.continent_name + external: ecs +- name: destination.geo.country_iso_code + external: ecs +- name: destination.geo.country_name + external: ecs +- name: destination.geo.location + external: ecs +- name: destination.geo.region_iso_code + external: ecs +- name: destination.geo.region_name + external: ecs diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/fields.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/fields.yml new file mode 100644 index 0000000000..d5f9003cb8 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/fields/fields.yml @@ -0,0 +1,929 @@ +- name: crowdstrike.metadata + title: Metadata fields + type: group + fields: + - name: eventType + type: keyword + description: | + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + - name: offset + type: integer + description: | + Offset number that tracks the location of the event in stream. This is used to identify unique detection events. + - name: customerIDString + type: keyword + description: | + Customer identifier + - name: version + type: keyword + description: | + Schema version +- name: crowdstrike.event + title: Event fields + type: group + fields: + - name: AccountId + type: keyword + - name: AgentId + type: keyword + - name: AgentIdString + type: keyword + - name: AggregateId + type: keyword + - name: AuditKeyValues + type: group + fields: + - name: Key + type: keyword + - name: ValueString + type: keyword + - name: CloudPlatform + type: keyword + - name: CloudProvider + type: keyword + - name: CloudService + type: keyword + - name: IncidentType + type: keyword + description: | + Incident Type + - name: CompositeId + type: keyword + description: Global unique identifier that identifies a unique alert. + - name: ComputerName + type: keyword + description: | + Name of the computer where the detection occurred. + - name: Description + type: keyword + - name: DetectName + type: keyword + description: | + Name of the detection. + - name: DataDomains + type: keyword + description: | + Data domains of the event that was the primary indicator or created it. + - name: ExecutionID + type: keyword + - name: ExecutionMetadata + type: group + fields: + - name: ExecutionDuration + type: long + - name: ExecutionStart + type: date + - name: ReportFileName + type: keyword + - name: ResultCount + type: long + - name: ResultID + type: keyword + - name: SearchWindowEnd + type: date + - name: SearchWindowStart + type: date + - name: ExecutablesWritten + type: group + fields: + - name: FileName + type: keyword + - name: FilePath + type: keyword + - name: Timestamp + type: keyword + - name: FalconHostLink + type: keyword + - name: FileName + type: keyword + - name: FilePath + type: keyword + - name: FilesAccessed + type: group + fields: + - name: FileName + type: keyword + - name: FilePath + type: keyword + - name: Timestamp + type: date + - name: FilesWritten + type: group + fields: + - name: FileName + type: keyword + - name: FilePath + type: keyword + - name: Timestamp + type: date + - name: GrandparentImageFilePath + type: keyword + - name: GrandParentCommandLine + type: keyword + - name: GrandParentImageFileName + type: keyword + - name: GrandParentImageFilePath + type: keyword + - name: Hostname + type: keyword + - name: LocalIPv6 + type: ip + - name: IOARuleGroupName + type: keyword + - name: IOARuleInstanceID + type: keyword + - name: LogonDomain + type: keyword + - name: MobileAppsDetails + type: group + fields: + - name: AndroidAppLabel + type: keyword + - name: AndroidAppVersionName + type: keyword + - name: AppIdentifier + type: keyword + - name: AppInstallerInformation + type: keyword + - name: DexFileHashes + type: keyword + - name: ImageFileName + type: keyword + - name: IsBeingDebugged + type: keyword + - name: IsContainerized + type: keyword + - name: Name + type: keyword + - name: NetworkAccesses + type: group + fields: + - name: AccessTimestamp + type: keyword + - name: AccessType + type: keyword + - name: ConnectionDirection + type: keyword + - name: IsIPV6 + type: keyword + - name: LocalAddress + type: keyword + - name: LocalPort + type: keyword + - name: Protocol + type: keyword + - name: RemoteAddress + type: keyword + - name: RemotePort + type: keyword + - name: PatternDispositionDescription + type: keyword + - name: ParentImageFilePath + type: keyword + - name: ParentProcessId + type: long + - name: PlatformId + type: keyword + - name: PlatformName + type: keyword + - name: ProcessId + type: long + - name: ReferrerUrl + type: keyword + - name: Region + type: keyword + - name: ReportFileReference + type: keyword + - name: ReportID + type: keyword + - name: ReportName + type: keyword + - name: ReportType + type: keyword + - name: StatusMessage + type: keyword + - name: Type + type: keyword + description: 'The endpoint detection type ("ldt": Legacy Endpoint Detection, or "ofp": Office Prevention Macro Detection).' + - name: UserName + type: keyword + - name: UserUUID + type: keyword + - name: ActivityId + type: keyword + description: | + ID of the activity that triggered the detection. + - name: PolicyId + type: long + description: | + The ID of the associated Policy. + - name: AddedPrivilege + type: keyword + description: | + The difference between their current and previous list of privileges. + - name: AdditionalAccountObjectGuid + type: keyword + description: | + Additional involved user object GUID. + - name: AdditionalAccountObjectSid + type: keyword + description: | + Additional involved user object SID. + - name: AdditionalAccountUpn + type: keyword + description: | + Additional involved user UPN. + - name: SourceAccountUpn + type: keyword + description: | + Source user UPN. + - name: AdditionalActivityId + type: keyword + description: | + ID of an additional activity related to the detection. + - name: AdditionalEndpointAccountObjectGuid + type: keyword + description: | + Additional involved endpoint object GUID. + - name: SourceEndpointAccountObjectGuid + type: keyword + description: | + Source endpoint object GUID + - name: AdditionalEndpointAccountObjectSid + type: keyword + description: | + Additional involved endpoint object SID. + - name: SourceEndpointAccountObjectSid + type: keyword + description: | + Source endpoint object SID. + - name: AdditionalEndpointSensorId + type: keyword + description: | + Additional involved endpoint agent ID. + - name: SourceEndpointIpReputation + type: keyword + description: | + Source endpoint IP reputation. + - name: SourceEndpointSensorId + type: keyword + description: | + Source endpoint agent ID. + - name: AdditionalLocationCountryCode + type: keyword + description: | + Additional involved country code. + - name: AdditionalSsoApplicationIdentifier + type: keyword + description: | + Additional application identifier. + - name: SsoApplicationIdentifier + type: keyword + description: | + Destination application identifier. + - name: SuspiciousMachineAccountAlterationType + type: keyword + description: | + Machine alteration type. + - name: AnomalousTicketContentClassification + type: keyword + description: | + Ticket signature analysis. + - name: CertificateTemplateName + type: keyword + description: | + Name of the certificate template. + - name: CertificateTemplateIdentifier + type: keyword + description: | + The ID of the certificate template. + - name: AccountCreationTimeStamp + type: date + description: | + The timestamp of when the source account was created in Active Directory. + - name: XdrType + type: keyword + description: | + Type of detection: xdr or xdr-scheduled-search. + - name: IdpPolicyRuleAction + type: keyword + description: | + Identity Protection policy rule action. + - name: IdpPolicyRuleName + type: keyword + description: | + Identity Protection policy rule name. + - name: IdpPolicyRuleTrigger + type: keyword + description: | + Identity Protection policy rule trigger. + - name: LdapSearchQueryAttack + type: keyword + description: | + Detected LDAP tool attack. + - name: Severity + type: integer + description: | + The integer severity level using Crowdstrike scaling. + - name: SeverityName + type: keyword + description: | + The severity level of the detection, as a string (High/Medium/Informational). + - name: NotificationId + type: keyword + description: | + ID of the generated notification. + - name: Highlights + type: text + description: | + Sections of content that matched the monitoring rule. + - name: ItemPostedTimestamp + type: date + description: | + Time the raw intelligence was posted. + - name: MostRecentActivityTimeStamp + type: date + description: | + The timestamp of the latest activity performed by the account. + - name: PrecedingActivityTimeStamp + type: date + description: | + The timestamp of the activity before the most recent activity was performed. + - name: SourceProducts + type: keyword + description: | + Names of the products from which the source data originated. + - name: SourceVendors + type: keyword + description: | + Names of the vendors from which the source data originated. + - name: EmailAddresses + type: keyword + description: | + Summary list of all associated entity email addresses. + - name: SHA1String + type: keyword + description: | + SHA1 sum of the executable associated with the detection. + - name: SHA256String + type: keyword + description: | + SHA256 sum of the executable associated with the detection. + - name: MD5String + type: keyword + description: | + MD5 sum of the executable associated with the detection. + - name: MachineDomain + type: keyword + description: | + Domain for the machine associated with the detection. + - name: HostGroups + type: keyword + description: | + Array of related Host Group IDs. + - name: SensorId + type: keyword + description: | + Unique ID associated with the Falcon sensor. + - name: TargetAccountDomain + type: keyword + description: | + Target user domain. + - name: TargetAccountName + type: keyword + description: | + Target user name. + - name: TargetAccountObjectSid + type: keyword + description: | + Target user object SID. + - name: TargetAccountUpn + type: keyword + description: | + Target user UPN. + - name: TargetEndpointAccountObjectGuid + type: keyword + description: | + Target endpoint object GUID. + - name: TargetEndpointAccountObjectSid + type: keyword + description: | + Target endpoint object SID. + - name: TargetEndpointHostName + type: keyword + description: | + Target endpoint hostname. + - name: TargetEndpointSensorId + type: keyword + description: | + Target endpoint agent ID. + - name: TargetServiceAccessIdentifier + type: keyword + description: | + Target SPN. + - name: DetectId + type: keyword + description: | + Unique ID associated with the detection. + - name: LocalIP + type: keyword + description: | + IP address of the host associated with the detection. + - name: MACAddress + type: keyword + description: | + MAC address of the host associated with the detection. + - name: Objective + type: keyword + description: | + Method of detection. + - name: PreviousPrivileges + type: keyword + description: | + A list of the source account's privileges before privilege changes were made. + - name: ProtocolAnomalyClassification + type: keyword + description: | + Authentication signature analysis. + - name: RpcOpClassification + type: keyword + description: | + RPC operation type. + - name: PatternDispositionValue + type: integer + description: | + Unique ID associated with action taken. + - name: PatternDispositionFlags + type: group + description: | + Flags indicating actions taken. + fields: + - name: ContainmentFileSystem + type: boolean + - name: Detect + type: boolean + - name: InddetMask + type: boolean + - name: Indicator + type: boolean + - name: KillParent + type: boolean + - name: KillProcess + type: boolean + - name: KillSubProcess + type: boolean + - name: OperationBlocked + type: boolean + - name: PolicyDisabled + type: boolean + - name: ProcessBlocked + type: boolean + - name: QuarantineFile + type: boolean + - name: QuarantineMachine + type: boolean + - name: Rooting + type: boolean + - name: SensorOnly + type: boolean + - name: BootupSafeguardEnabled + type: boolean + - name: CriticalProcessDisabled + type: boolean + - name: FsOperationBlocked + type: boolean + - name: RegistryOperationBlocked + type: boolean + - name: BlockingUnsupportedOrDisabled + type: boolean + - name: HandleOperationDowngraded + type: boolean + - name: KillActionFailed + type: boolean + - name: SuspendParent + type: boolean + - name: SuspendProcess + type: boolean + - name: AssociatedFile + type: keyword + description: | + The file associated with the triggering indicator. + - name: PatternId + type: keyword + description: | + The numerical ID of the pattern associated with the action taken on the detection. + - name: Finding + type: keyword + description: | + The details of the finding. + - name: FineScore + type: float + description: | + The highest incident score reached as of the time the event was sent. + - name: UserId + type: keyword + description: | + Email address or user ID associated with the event. + - name: OperationName + type: keyword + description: | + Event subtype. + - name: RulePriority + type: keyword + description: | + Priority of the monitoring rule that found the match. + - name: ItemType + type: keyword + description: | + Type of raw intelligence. + - name: OARuleInstanceID + type: keyword + description: | + Numerical ID of the custom IOA rule under a given CID. + - name: ResourceUrl + type: keyword + description: | + The URL to the cloud resource. + - name: Tags + type: nested + description: | + Tags on the cloud resources if any. + - name: IOARuleInstanceVersion + type: long + description: | + Version number of the InstanceID that triggered. + - name: ResourceAttributes + type: flattened + description: | + A JSON blob with all resource attributes. + - name: ResourceId + type: keyword + description: | + The cloud resource identifier. + - name: ResourceIdType + type: keyword + description: | + The type of the detected resource identifier. + - name: ResourceName + type: keyword + description: | + Resource name if any. + - name: IOARuleName + type: keyword + description: | + Name given to the custom IOA rule that triggered. + - name: SELinuxEnforcementPolicy + type: keyword + description: | + State of SELinux enforcement policy on an Android device. + - name: SafetyNetErrors + type: keyword + description: | + Describes a SafetyNet error + - name: SafetyNetCTSProfileMatch + type: keyword + description: | + The result of a stricter verdict for device integrity. + - name: SafetyNetBasicIntegrity + type: keyword + description: | + The result of a more lenient verdict for device integrity. + - name: SafetyNetEvaluationType + type: keyword + description: | + Provides information about the type of measurements used to compute fields likeCTSProfileMatch and BasicIntegrity. + - name: SafetyNetErrorMessage + type: keyword + description: | + An encoded error message. + - name: SafetyNetAdvice + type: keyword + description: | + Provides information to help explain why the Google SafetyNet Attestation API set eitherCTSProfileMatch or BasicIntegrity fields to false. + - name: KeyStoreErrors + type: keyword + description: | + Describes a KeyStore error. + - name: VerifiedBootState + type: keyword + description: | + Provides the device’s current boot state. + - name: MobileAppsDetails + type: nested + description: | + Provides one or more JSON objects describing the related mobile applications. + - name: MobileNetworkConnections + type: nested + description: | + Provides one or more JSON objects describing the related network connections from the mobile device. + - name: MobileDnsRequests + type: nested + description: | + Provides one or more JSON objects describing the related DNS requests from the mobile device. + - name: MountedVolumes + type: nested + description: | + Provides one or more JSON objects describing mounted volumes on the mobile device. + - name: Trampolines + type: nested + description: | + Provides one or more JSON objects describing the relevant functions and processes performing inline API hooks. + - name: LoadedObjects + type: nested + description: | + Provides one or more JSON objects describing the loaded objects related to the detection. + - name: ObjectiveCRuntimesAltered + type: nested + description: | + Provides one or more JSON objects describing the obj-c methods related to the malware. + - name: RootAccessIndicators + type: nested + description: | + Provides one or more JSON objects which includes logs and stack traces from the suspicious source. + - name: Certificates + type: nested + description: | + Provides one or more JSON objects which includes related SSL/TLS Certificates. + - name: EnvironmentVariables + type: nested + description: | + Provides one or more JSON objects which includes related environment variables. + - name: SystemProperties + type: nested + description: | + Provides one or more JSON objects which includes related system properties. + - name: Success + type: boolean + description: | + Indicator of whether or not this event was successful. + - name: AuditKeyValues + type: nested + description: | + Fields that were changed in this event. + - name: LMHostIDs + type: keyword + normalize: + - array + description: | + Array of host IDs seen to have experienced lateral movement because of the incident. + - name: NetworkAccesses + type: nested + description: | + Detected Network traffic done by a process. + - name: ScanResults + type: nested + description: | + Array of scan results. + - name: DnsRequests + type: nested + description: | + Detected DNS requests done by a process. + - name: DocumentsAccessed + type: nested + description: | + Detected documents accessed by a process. + - name: ExecutablesWritten + type: nested + description: | + Detected executables written to disk by a process. + - name: Attributes + type: flattened + description: | + JSON objects containing additional information about the event. + - name: SessionId + type: keyword + description: | + Session ID of the remote response session. + - name: LateralMovement + type: long + description: | + Lateral movement field for incident. + - name: GrandparentImageFileName + type: keyword + description: | + Path to the grandparent process. + - name: GrandparentCommandLine + type: keyword + description: | + Grandparent process command line arguments. + - name: IOCType + type: keyword + description: | + CrowdStrike type for indicator of compromise. + - name: IOCValue + type: keyword + description: | + CrowdStrike value for indicator of compromise. + - name: Category + type: keyword + description: | + IDP incident category. + - name: NumbersOfAlerts + type: long + description: | + Number of alerts in the identity-based incident. + - name: NumberOfCompromisedEntities + type: long + description: | + Number of compromised entities, users and endpoints. + - name: ServiceName + type: keyword + description: | + Description of which related service was involved in the event. + - name: State + type: keyword + description: | + Identity-based detection or incident status. + - name: ParentImageFileName + type: keyword + description: | + The parent image file name involved. + - name: CustomerId + type: keyword + description: | + Customer identifier. + - name: DeviceId + type: keyword + description: | + Device on which the event occurred. + - name: Ipv + type: keyword + description: | + Protocol for network request. + - name: EventType + type: keyword + description: | + CrowdStrike provided event type. + - name: ICMPCode + type: keyword + description: | + RFC2780 ICMP Code field. + - name: ICMPType + type: keyword + description: | + RFC2780 ICMP Type field. + - name: RuleAction + type: keyword + description: | + Firewall rule action. + - name: MatchCount + type: long + description: | + Number of firewall rule matches. + - name: MatchCountSinceLastReport + type: long + description: | + Number of firewall rule matches since the last report. + - name: Timestamp + type: date + description: | + Firewall rule triggered timestamp. + - name: Flags.Audit + type: boolean + description: | + CrowdStrike audit flag. + - name: Flags.Log + type: boolean + description: | + CrowdStrike log flag. + - name: Flags.Monitor + type: boolean + description: | + CrowdStrike monitor flag. + - name: Protocol + type: keyword + description: | + CrowdStrike provided protocol. + - name: ScheduledSearchId + type: keyword + description: | + Unique identifier of the associated scheduled search. + - name: ScheduledSearchUserUUID + type: keyword + description: | + UUID of the user that created the the associated scheduled search. + - name: ScheduledSearchUserId + type: keyword + description: | + User ID of the user that created the the associated scheduled search. + - name: ScheduledSearchExecutionId + type: keyword + description: | + ID of the specific search execution. + - name: NetworkProfile + type: keyword + description: | + CrowdStrike network profile. + - name: PolicyName + type: keyword + description: | + CrowdStrike policy name. + - name: PolicyID + type: keyword + description: | + CrowdStrike policy id. + - name: Status + type: keyword + description: | + CrowdStrike status. + - name: TreeID + type: keyword + description: | + CrowdStrike tree id. + - name: Commands + type: keyword + description: | + Commands run in a remote session. + - name: AnodeIndicators + type: nested + - name: ContentPatterns + type: group + fields: + - name: ID + type: keyword + - name: Name + type: keyword + - name: ConfidenceLevel + type: long + - name: MatchCount + type: long + - name: Destination + type: nested + - name: Destination.Channel + type: keyword + - name: EventTimestamp + type: date + - name: FileType.Type + type: group + fields: + - name: CategoryID + type: keyword + - name: CategoryName + type: keyword + - name: Description + type: keyword + - name: ID + type: keyword + - name: Name + type: keyword + - name: FilesEgressedCount + type: long + - name: FileCategoryCounts + type: nested + - name: ContentPatternCounts + type: nested + - name: DetectionType + type: keyword + - name: EgressEventId + type: keyword + - name: EgressSessionId + type: keyword + - name: IsClipboard + type: boolean + - name: MatchedClassification + type: group + fields: + - name: ID + type: keyword + - name: Name + type: keyword + - name: OriginWebLocations + type: flattened + - name: RelatedClassifications + type: group + fields: + - name: ID + type: keyword + - name: Name + type: keyword + - name: ResponseAction + type: keyword + - name: RuleId + type: keyword + - name: UserNotified + type: boolean + - name: UserTitle + type: keyword + - name: UserDepartment + type: keyword + - name: UserMapped + type: boolean + - name: IPv4 + type: ip + - name: IPv6 + type: ip + - name: DomainName + type: keyword + - name: MitreAttack + type: group + fields: + - name: Tactic + type: keyword + - name: TacticID + type: keyword + - name: Technique + type: keyword + - name: TechniqueID + type: keyword + - name: PatternID + type: keyword diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/manifest.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/manifest.yml new file mode 100644 index 0000000000..3c81d91757 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/manifest.yml @@ -0,0 +1,111 @@ +type: logs +title: CrowdStrike Falcon events +streams: + - input: logfile + enabled: false + vars: + - name: paths + type: text + title: Paths + description: Location of the files where event outputs are written. The contents of these files should be in a valid JSON format. + multi: true + required: true + show_user: true + default: + - /var/log/crowdstrike/falconhoseclient/output* + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - crowdstrike-falcon + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + template_path: log.yml.hbs + title: Falcon events + description: Collect CrowdStrike Falcon events through Falcon SIEM Connector. + - input: streaming + template_path: streaming.yml.hbs + title: Falcon events + description: Collect CrowdStrike Falcon events using Event Streams API. + enabled: false + vars: + - name: url + type: text + title: URL + description: Base URL of the CrowdStrike API. Defaults to https://api.crowdstrike.com. + default: https://api.crowdstrike.com + required: true + show_user: true + - name: token_url + type: text + title: Token URL + description: CrowdStrike API token URL. + default: https://api.crowdstrike.com/oauth2/token + required: true + show_user: false + - name: client_id + type: text + title: Client ID + description: Client ID for the CrowdStrike API. + multi: false + required: true + show_user: true + - name: client_secret + type: password + title: Client Secret + description: Client Secret for the CrowdStrike API. + multi: false + required: true + show_user: true + secret: true + - name: app_id + type: text + title: App ID + description: This field specifies the `appId` parameter sent to the CrowdStrike API. See the CrowdStrike documentation for details. + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - crowdstrike-falcon + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/sample_event.json b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/sample_event.json new file mode 100644 index 0000000000..5954308e94 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/data_stream/falcon/sample_event.json @@ -0,0 +1,84 @@ +{ + "@timestamp": "2023-11-02T13:41:34.000Z", + "agent": { + "ephemeral_id": "8f4a039c-66d4-439c-a43f-c5a95f653dd4", + "id": "67072e92-576d-47d8-8a43-ebb347b4250b", + "name": "elastic-agent-93422", + "type": "filebeat", + "version": "8.18.1" + }, + "crowdstrike": { + "event": { + "AgentIdString": "fffffffff33333", + "SessionId": "1111-fffff-4bb4-99c1-74c13cfc3e5a" + }, + "metadata": { + "customerIDString": "abcabcabc22221", + "eventType": "RemoteResponseSessionStartEvent", + "offset": 1, + "version": "1.0" + } + }, + "data_stream": { + "dataset": "crowdstrike.falcon", + "namespace": "99576", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "67072e92-576d-47d8-8a43-ebb347b4250b", + "snapshot": false, + "version": "8.18.1" + }, + "event": { + "action": [ + "remote_response_session_start_event" + ], + "agent_id_status": "verified", + "category": [ + "network", + "session" + ], + "created": "2023-11-02T13:41:34.000Z", + "dataset": "crowdstrike.falcon", + "ingested": "2025-05-30T08:29:21Z", + "kind": "event", + "original": "{\"event\":{\"AgentIdString\":\"fffffffff33333\",\"HostnameField\":\"UKCHUDL00206\",\"SessionId\":\"1111-fffff-4bb4-99c1-74c13cfc3e5a\",\"StartTimestamp\":1698932494,\"UserName\":\"admin.rose@example.com\"},\"metadata\":{\"customerIDString\":\"abcabcabc22221\",\"eventCreationTime\":1698932494000,\"eventType\":\"RemoteResponseSessionStartEvent\",\"offset\":1,\"version\":\"1.0\"}}", + "start": "2023-11-02T13:41:34.000Z", + "type": [ + "start" + ] + }, + "host": { + "name": "UKCHUDL00206" + }, + "input": { + "type": "streaming" + }, + "message": "Remote response session started.", + "observer": { + "product": "Falcon", + "vendor": "Crowdstrike" + }, + "related": { + "hosts": [ + "UKCHUDL00206" + ], + "user": [ + "admin.rose", + "admin.rose@example.com" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "crowdstrike-falcon" + ], + "user": { + "domain": "example.com", + "email": "admin.rose@example.com", + "name": "admin.rose" + } +} diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/docs/README.md b/test/packages/benchmarks/system_benchmark_crowdstrike/docs/README.md new file mode 100644 index 0000000000..aef2c75e12 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/docs/README.md @@ -0,0 +1,315 @@ +# CrowdStrike Integration + +## Overview + +The [CrowdStrike](https://www.crowdstrike.com/) integration allows you to efficiently connect your CrowdStrike Falcon platform to Elastic for seamless onboarding of alerts and telemetry from CrowdStrike Falcon and Falcon Data Replicator. Elastic Security can leverage this data for security analytics including correlation, visualization, and incident response. + +For a demo, refer to the following video (click to view). + +[![CrowdStrike integration video](https://play.vidyard.com/VKKWSpg4sDEk1DBXATkyEP.jpg)](https://videos.elastic.co/watch/VKKWSpg4sDEk1DBXATkyEP) + +### Compatibility + +This integration is compatible with CrowdStrike Falcon SIEM Connector v2.0, REST API, and CrowdStrike Event Streams API. + +### How it works + +The integration collects data from multiple sources within CrowdStrike Falcon and ingests it into Elasticsearch for security analysis and visualization: + +![CrowdStrike Integration Flowchart](../img/crowdstrike-elastic-data-flow.drawio.svg) + +1. **CrowdStrike Event Streams** — Real-time security events (auth, CSPM, firewall, user activity, XDR, detections). You can collect this data in two ways: + - **Falcon SIEM Connector** — A pre-built integration that connects CrowdStrike Falcon with your SIEM. The connector collects event stream data and writes it to files; this integration reads from the connector's output path (the `output_path` in `cs.falconhoseclient.cfg`). + - **Event Streams API** — Continuously streams security logs from CrowdStrike Falcon for proactive monitoring and threat detection. + + Data from either method is indexed into the `falcon` dataset in Elasticsearch. + +2. **CrowdStrike REST API** — The integration uses the REST API to pull alerts, host inventory, and vulnerability data (indexed into the `alert`, `host`, and `vulnerability` datasets). + + :::{note} + GovCloud CID users must enable the GovCloud option in the integration configuration to query the `/devices/queries/devices/v1` endpoint instead of the unsupported `/devices/combined/devices/v1` endpoint. + ::: + +3. **Falcon Data Replicator (FDR)** — Batch data from your endpoints, cloud workloads, and identities using the Falcon platform's lightweight agent. Data is written to CrowdStrike-managed S3; this integration consumes it using SQS notifications (or from your own S3 bucket if you use the FDR tool to replicate). Logs are indexed into the `fdr` dataset in Elasticsearch. + +## What data does this integration collect? + +- **Event Streams** (falcon dataset) +- **FDR** (fdr dataset) +- **Alerts** (alert dataset) +- **Hosts** (host dataset) +- **Vulnerability** (vulnerability dataset) + +## What do I need to use this integration? + +This section describes the requirements and configuration details for each supported data source. + +### Collect data using CrowdStrike Falcon SIEM Connector + +To collect data using the Falcon SIEM Connector, you need the file path where the connector stores event data received from the Event Streams. +This is the same as the `output_path` setting in the `cs.falconhoseclient.cfg` configuration file. + +The integration supports only JSON output format from the Falcon SIEM Connector. Other formats such as Syslog and CEF are not supported. + +Additionally, this integration collects logs only through the file system. Ingestion using a Syslog server is not supported. + +:::{note} +The log files are written to multiple rotated output files based on the `output_path` setting in the `cs.falconhoseclient.cfg` file. The default output location for the Falcon SIEM Connector is `/var/log/crowdstrike/falconhoseclient/output`. +By default, files named `output*` in `/var/log/crowdstrike/falconhoseclient` directory contain valid JSON event data and should be used as the source for ingestion. + +Files with names like `cs.falconhoseclient-*.log` in the same directory are primarily used for logging internal operations of the Falcon SIEM Connector and are not intended to be consumed by this integration. +::: + +By default, the configuration file for the Falcon SIEM Connector is located at `/opt/crowdstrike/etc/cs.falconhoseclient.cfg`, which provides configuration options related to the events collected. The `EventTypeCollection` and `EventSubTypeCollection` sections list which event types the connector collects. + +### Collect data using CrowdStrike Event Streams + +The following parameters from your CrowdStrike instance are required: + +1. Client ID +2. Client Secret +3. Token URL +4. API Endpoint URL +5. CrowdStrike App ID +6. Required scopes for event streams: + + | Data Stream | Scope | + | ------------- | ------------------- | + | Event Stream | read: Event streams | + +:::{note} +You can use the Falcon SIEM Connector as an alternative to the Event Streams API. +::: + +#### Supported Event Streams event types + +The following event types are supported for CrowdStrike Event Streams (whether you use the Falcon SIEM Connector or the Event Streams API): + +- CustomerIOCEvent +- DataProtectionDetectionSummaryEvent +- DetectionSummaryEvent +- EppDetectionSummaryEvent +- IncidentSummaryEvent +- UserActivityAuditEvent +- AuthActivityAuditEvent +- FirewallMatchEvent +- RemoteResponseSessionStartEvent +- RemoteResponseSessionEndEvent +- CSPM Streaming events +- CSPM Search events +- IDP Incidents +- IDP Summary events +- Mobile Detection events +- Recon Notification events +- XDR Detection events +- Scheduled Report Notification events + +### Collect data using CrowdStrike REST API + +The following parameters from your CrowdStrike instance are required: + +1. Client ID +2. Client Secret +3. Token URL +4. API Endpoint URL +5. Required scopes for each data stream: + + | Data Stream | Scope | + | ------------- | ------------- | + | Alert | read:alert | + | Host | read:host | + | Vulnerability | read:vulnerability | + +### Collect data using CrowdStrike Falcon Data Replicator (FDR) + +The CrowdStrike Falcon Data Replicator allows CrowdStrike users to replicate data from CrowdStrike +managed S3 buckets. When new data is written to S3, notifications are sent to a CrowdStrike-managed SQS queue (using S3 event notifications configured in AWS), so this integration can consume them. + +This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed +SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket +and the integration can read from there. + +In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic +Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. + +#### Use with CrowdStrike managed S3/SQS + +This is the simplest way to setup the integration, and also the default. + +You need to set the integration up with the SQS queue URL provided by CrowdStrike FDR. + +#### Use with FDR tool and data replicated to a self-managed S3 bucket + +This option can be used if you want to archive the raw CrowdStrike data. + +You need to follow the steps below: + +- Create an S3 bucket to receive the logs. +- Create an SQS queue. +- Configure your S3 bucket to send object created notifications to your SQS queue. +- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. +- Configure the integration to read from your self-managed SQS topic. + +:::{note} +While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files. +::: + +#### Configuration for the S3 input + +AWS credentials are required for running this integration if you want to use the S3 input. + +##### Configuration parameters +* `access_key_id`: first part of access key. +* `secret_access_key`: second part of access key. +* `session_token`: required when using temporary security credentials. +* `credential_profile_name`: profile name in shared credentials file. +* `shared_credential_file`: directory of the shared credentials file. +* `endpoint`: URL of the entry point for an AWS web service. +* `role_arn`: AWS IAM Role to assume. + +##### Credential Types +There are three types of AWS credentials that can be used: + +- access keys, +- temporary security credentials, and +- IAM role ARN. + +##### Access keys + +`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` are the two parts of access keys. +They are long-term credentials for an IAM user, or the AWS account root user. +See [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) +for more details. + +##### Temporary security credentials + +Temporary security credentials have a limited lifetime and consist of an +access key ID, a secret access key, and a security token which are typically returned +from `GetSessionToken`. + +MFA-enabled IAM users would need to submit an MFA code +while calling `GetSessionToken`. `default_region` identifies the AWS Region +whose servers you want to send your first API request to by default. + +This is typically the Region closest to you, but it can be any Region. See +[Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +for more details. + +`sts get-session-token` AWS CLI can be used to generate temporary credentials. +For example, with MFA-enabled: +```bash +aws> sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456 +``` + +Because temporary security credentials are short term, after they expire, the +user needs to generate new ones and manually update the package configuration in +order to continue collecting `aws` metrics. + +This will cause data loss if the configuration is not updated with new credentials before the old ones expire. + +##### IAM role ARN + +An IAM role is an IAM identity that you can create in your account that has +specific permissions that determine what the identity can and cannot do in AWS. + +A role does not have standard long-term credentials such as a password or access +keys associated with it. Instead, when you assume a role, it provides you with +temporary security credentials for your role session. +IAM role Amazon Resource Name (ARN) can be used to specify which AWS IAM role to assume to generate +temporary credentials. + +See [AssumeRole API documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) for more details. + +##### Supported Formats +1. Use access keys: Access keys include `access_key_id`, `secret_access_key` +and/or `session_token`. +2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume + for generating temporary credentials. + If `role_arn` is given, the package will check if access keys are given. + If not, the package will check for credential profile name. + If neither is given, default credential profile will be used. + + Ensure credentials are given under either a credential profile or + access keys. +3. Use `credential_profile_name` and/or `shared_credential_file`: + If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then + the package will check for `credential_profile_name`. + If you use different credentials for different tools or applications, you can use profiles to + configure multiple access keys in the same configuration file. + If there is no `credential_profile_name` given, the default profile will be used. + `shared_credential_file` is optional to specify the directory of your shared + credentials file. + If it's empty, the default directory will be used. + In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. + For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. + See [Create Shared Credentials File](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html) + for more details. + +#### Supported FDR data + +The FDR dataset includes: + +- Events generated by the Falcon sensor on your hosts +- DataProtectionDetectionSummaryEvent (Data Protection detection summary) +- File Integrity Monitor: FileIntegrityMonitorRuleMatched and FileIntegrityMonitorRuleMatchedEnriched events +- EppDetectionSummaryEvent (EPP detection summary) +- CSPM: Indicators of Misconfiguration (IOM) and Indicators of Attack (IOA) events + +## How do I deploy this integration? + +1. In Kibana, go to **Management > Integrations**. +2. In the "Search for integrations" search bar, type **CrowdStrike**. +3. Click the **CrowdStrike** integration from the search results. +4. Click the **Add CrowdStrike** button to add the integration. +5. Configure the integration. +6. Click **Save and Continue** to save the integration. + +### Agentless enabled integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + +### Agent based installation + +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). +You can install only one Elastic Agent per host. +Elastic Agent is required to stream data from the AWS SQS, Event Streams API, REST API, or SIEM Connector and ship the data to Elastic, where the events will then be processed using the integration's ingest pipelines. + +## Troubleshooting + +### Vulnerability API returns 404 Not found + +This error can occur for the following reasons: +1. Too many records in the response. +2. The pagination token has expired. Tokens expire 120 seconds after a call is made. + +To resolve this, adjust the `Batch Size` setting in the integration to reduce the number of records returned per pagination call. + +### Duplicate Events + +The option `Enable Data Deduplication` allows you to avoid consuming duplicate events. By default, this option is set to `false`, and so duplicate events can be ingested. When this option is enabled, a [fingerprint processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/fingerprint-processor.html) is used to calculate a hash from a set of CrowdStrike fields that uniquely identify the event. The hash is assigned to the Elasticsearch [`_id`](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-id-field.html) field that makes the document unique and prevent duplicates. + +If duplicate events are ingested, to help find them, the integration's `event.id` field is populated by concatenating a few CrowdStrike fields that uniquely identify the event. These fields are `id`, `aid`, and `cid` from the CrowdStrike event. The fields are separated with pipe `|`. +For example, if your CrowdStrike event contains `id: 123`, `aid: 456`, and `cid: 789` then the `event.id` would be `123|456|789`. + +### Alert severity mapping + +The values used in `event.severity` are consistent with Elastic Detection Rules. + +| Severity Name | `event.severity` | +|----------------------------|:----------------:| +| Low, Info or Informational | 21 | +| Medium | 47 | +| High | 73 | +| Critical | 99 | + +The integration sets `event.severity` according to the mapping in the table above. If the severity name is not available from the original document, it is determined from the numeric severity value according to the following table. + +| CrowdStrike Severity | Severity Name | +|------------------------|:-------------:| +| 0 - 19 | info | +| 20 - 39 | low | +| 40 - 59 | medium | +| 60 - 79 | high | +| 80 - 100 | critical | diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/manifest.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/manifest.yml new file mode 100644 index 0000000000..28f0be4d22 --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/manifest.yml @@ -0,0 +1,105 @@ +name: crowdstrike +title: CrowdStrike +version: "3.12.0" +description: Collect logs from Crowdstrike with Elastic Agent. +type: integration +format_version: "3.4.0" +categories: [security, edr_xdr] +conditions: + kibana: + version: "^8.18.0 || ^9.0.0" +policy_templates: + - name: crowdstrike + title: CrowdStrike + description: Collect events and data from CrowdStrike Falcon + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations + inputs: + - type: logfile + title: Collect Falcon events and FDR logs through file system + description: Collect Falcon events from the SIEM Connector and Falcon Data Replicator (FDR) logs through the file system. + - type: cel + title: Collect data using the CrowdStrike REST API + description: Collect CrowdStrike Falcon data (alerts, hosts, vulnerabilities) using the REST API. + vars: + - name: client_id + type: text + title: Client ID + description: Client ID for the CrowdStrike API. + multi: false + required: true + show_user: true + - name: client_secret + type: password + title: Client Secret + description: Client Secret for the CrowdStrike API. + multi: false + required: true + show_user: true + secret: true + - name: url + type: text + title: URL + description: Base URL of the CrowdStrike API. Defaults to https://api.crowdstrike.com + default: https://api.crowdstrike.com + required: true + show_user: true + - name: token_url + type: text + title: Token URL + description: CrowdStrike API token URL. + default: https://api.crowdstrike.com/oauth2/token + required: true + show_user: false + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Ensure your username and password are in URL encoded format. + - name: proxy_headers + type: yaml + title: Proxy headers + multi: false + required: false + show_user: false + description: This specifies the headers to be sent to the proxy server. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/test/packages/benchmarks/system_benchmark_crowdstrike/validation.yml b/test/packages/benchmarks/system_benchmark_crowdstrike/validation.yml new file mode 100644 index 0000000000..ab145056ed --- /dev/null +++ b/test/packages/benchmarks/system_benchmark_crowdstrike/validation.yml @@ -0,0 +1,7 @@ +errors: + exclude_checks: + - SVR00001 # Saved query, but no filter. + - SVR00002 + - SVR00004 # Saved search not allowed? + - SVR00005 # Kibana version for saved tags. + - JSE00001 # Array lists not recognised.